Le vendredi, 22 mars 2019, 09.32:55 h CEST Lucas Nussbaum a écrit :
> I'm probably missing something, but it doesn't sound like a lot of work
> to me? It's "just" a service that:
> - gets notified of the existence of a git repo + tag to upload
> - fetches that git repo + tag
> - checks signature / confirm that the GPG key owner is allowed to upload
> that package
> - build a Debian source package
> - uses a slightly different path to accept the source package (because
> the .dsc and .changes wouldn't be signed)
>
> This could exist in parallel to the current upload scheme.
>
> And it's a terrible idea, but it could even be implemented as a
> third-party service, run by a DD that would do that and sign+upload the
> source package using the DD's own GPG key.
Eh. I have fond memories of DebConf11 discussions bout pretty much this idea.
The point so far has been that no DD wanted to "risk" their GPG key for that
(and/or risk getting hit by social blame triggered by automated/wrong
uploads).
Times have changed, maybe it could be done now afterall. :-)
--
OdyXAttachment:
signature.asc
Description: This is a digitally signed message part.