Re: t2u in the archive

[Aigars Mahinovs <aigarius@debian.org>]

On Sun, 30 Jun 2024 at 19:28, Russ Allbery <rra@debian.org> wrote:
>
> Aigars Mahinovs <aigarius@gmail.com> writes:
> > Correct me if I'm wrong, but I believe the intention is to have two
> > technically redundant data points saved into the archive:
>
> > 1) checksums of the contents of the shallow copy git tree in the
> > maintainer work folder (signed by the maintainer)
> > 2) contents of the shallow copy git tree in the t2u server work folder
> > (signed by t2u)
>
> Oh!  Did I misunderstand Joerg's second point entirely?  By "the tag that
> t2u wants to upload," I assumed that meant the tag the uploader signed or,
> in other words, the state of the tree *before* t2u started doing its work
> that has the uploader signature attached.

I do not see that in either what me or Joerg wrote. And I also don't
see much sense in that.

In contrast, having a tarball of the git state *before* t2u starts its
work would provide a tarball that *can* be verified against the
checksums from the first file. That will give you a clear data point -
t2u started its work with the exactly the same workspace as the
maintainer signed. And will provide a frozen copy of that starting
workspace in the archive independent of the (more complex) dgit
service.

-- 
Best regards,
    Aigars Mahinovs        mailto:aigarius@debian.org
  #--------------------------------------------------------------#
 | .''`.    Debian GNU/Linux (http://www.debian.org)            |
 | : :' :   Latvian Open Source Assoc. (http://www.laka.lv)     |
 | `. `'    Linux Administration and Free Software Consulting   |
 |   `-                                 (http://www.aiteki.com) |
 #--------------------------------------------------------------#