Re: [RFC] General Resolution to deploy tag2upload

To: debian-vote@lists.debian.org
Subject: Re: [RFC] General Resolution to deploy tag2upload
From: Philip Hands <phil@hands.com>
Date: Sun, 16 Jun 2024 23:23:15 +0200
Message-id: <[🔎] 87y1747fb0.fsf@hands.com>
In-reply-to: <[🔎] 87bk42x73j.fsf@hope.eyrie.org>
References: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com> <[🔎] 87ed8ymbvx.fsf@ganneff.de> <[🔎] 87msnmxcdx.fsf@hope.eyrie.org> <[🔎] v4kta9$muc2$1@posted-at.bofh.it> <[🔎] 87bk42x73j.fsf@hope.eyrie.org>

Russ Allbery <rra@debian.org> writes:

> Marco d'Itri <md@Linux.IT> writes:
>> rra@debian.org wrote:
>
>>> My understanding is that the problem with this design from their
>>> perspective is that it requires a fat client on the uploader's system,
>>> and whole point of tag2upload is to stop requiring a fat client on the
>>> uploader's system.  In particular, it requires all the code to
>>> reconstruct the source package from a Git tree be installed locally,
>>> which is basically a full dgit implementation.
>
>> Does it? What if both the tag2upload client and server implemented
>> instead some very simple serialization and canonicalization algorithm
>> over the source package?
>
> The serialization isn't the problem, constructing the source package is.
> Once you have a source package, there are lots of things you can do, but
> the problem is precisely that going from a Git tree to a source package is
> non-trivial and involves a whole bunch of Debian-specific code.

We seem to be very focused on how one might reproduce the source
package, to make sure that it can be bit-for-bit generated from the
signed tag, which is clearly a hard thing to do.

Do we actually need to do that at all?

Would it not be sufficient to check that the resulting source package is
a reasonable representation of the content pointed at by the signed tag.

Given that we already have the source package at the point when we need
to do this check, that really ought to be a lot easier than building the
source package in the first place.

If we had a tool that did that check, such that you could feed it a
source package and a tag, and it would tell you if the source package
was correctly generated from the tag, would that be enough to satisfy
the FTP masters?

If so, is there anything that makes it difficult to create such a tool?

(my naive perception is that it's a lot easier to untar a tarball, and
check that the contents match a git checkout than it is to make sure
that git-archive is reproducible, and that this situation seems somehow
analogous to that)

Cheers, Phil.
-- 
Philip Hands -- https://hands.com/~phil

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Matthias Urlichs <matthias@urlichs.de>

References:
- [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Joerg Jaspert <joerg@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Marco d'Itri <md@Linux.IT>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Security review of tag2upload
Next by Date: Re: How is the original tarball obtained in tag2upload
Previous by thread: Re: [RFC] General Resolution to deploy tag2upload
Next by thread: Re: [RFC] General Resolution to deploy tag2upload
Index(es):
- Date
- Thread