Re: Summary of the current state of the tag2upload discussion
On 6/24/24 23:31, Aigars Mahinovs wrote:
There is no cryptographic relationship between the signed source
*package* and the actual source. That *is* the problem. Inspecting one
thing and then signing something else is the problem.
I'm sorry, but I cannot make a reasonable sense of the above, even if
you're repeating it over, and over and over...
Of course what I expect in a source package is ... my source code! In so
many ways, I'm checking what I upload. For example, by using and testing
what I uploaded. Right, I haven't checked all files checksums one by
one. Never the less, I am currently confident that what I uploaded is
what I expected. That doesn't change much with the workflow you're
proposing, I'd still check that things are working as expected.
But to the contrary of what you're saying, that *is not* the problem.
The problem is that you're proposing to sign something, and upload
something else, signed by 3rd party CI that you're willing us to blindly
trust. This makes no sense. We want your stamp of approval on the thing
you're actually uploading, not something else. You may as well make a
signed request to a REST API, it wouldn't be very different from signing
a tag in a random Git repository.
Cheers,
Thomas Goirand (zigo)
Reply to: