Part of the problem space is to prevent another xz-style compromise where the tarball contained stuff not in git. So, probably yes.We seem to be very focused on how one might reproduce the source package, to make sure that it can be bit-for-bit generated from the signed tag, which is clearly a hard thing to do. Do we actually need to do that at all?
Would it not be sufficient to check that the resulting source package is a reasonable representation of the content pointed at by the signed tag.
Define "reasonable". Given the myriad of workflows that dgit supports, you'd have to re-run it.
Just to mention one data point, there's no reasonable way to
automatically distinguish "they re-ran autoconf" from "they
inserted a backdoor into src/Makefile.in". There are plenty
others.
-- -- mit freundlichen Grüßen -- -- Matthias Urlichs
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature