Re: [RFC] General Resolution to deploy tag2upload

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Russ Allbery writes ("Re: [RFC] General Resolution to deploy tag2upload"):
>  My understanding is that the problem with this
> design from their perspective is that it requires a fat client on the
> uploader's system,

Yes.

Indeed, we have a system very like this already.  It's called dgit.
dgit push-source *is* that fat client.

In your inferred design sketch, the fat client makes a git tag which
somehow encodes the special Debian-specific hash tree.  That is kind
of weird, and isn't really necessary.  We can just make the existing
Debian-specific hash tree signatures: the signatures on the .dsc and
the .changes.  So, with dgit, there are just two sets of signatures:
one set for the archive, to make the upload be accepted, and one set
for the git form, which gets pushed to dgit-repos.

What we are trying to do with tag2upload is get rid of dgit. [1]

Ian.

[1] Well, of course, it still runs on the server, but it becomes an
implementation detail of the automatic gateway between git and source
packages.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.