Le vendredi, 22 mars 2019, 09.32:55 h CEST Lucas Nussbaum a écrit : > I'm probably missing something, but it doesn't sound like a lot of work > to me? It's "just" a service that: > - gets notified of the existence of a git repo + tag to upload > - fetches that git repo + tag > - checks signature / confirm that the GPG key owner is allowed to upload > that package > - build a Debian source package > - uses a slightly different path to accept the source package (because > the .dsc and .changes wouldn't be signed) > > This could exist in parallel to the current upload scheme. > > And it's a terrible idea, but it could even be implemented as a > third-party service, run by a DD that would do that and sign+upload the > source package using the DD's own GPG key. Eh. I have fond memories of DebConf11 discussions bout pretty much this idea. The point so far has been that no DD wanted to "risk" their GPG key for that (and/or risk getting hit by social blame triggered by automated/wrong uploads). Times have changed, maybe it could be done now afterall. :-) -- OdyX
Attachment:
signature.asc
Description: This is a digitally signed message part.