The Debian developer/maintainer creates a signed git tag that contains (in its message, presumably, to avoid adding new communication lines) the file listing of the git checkout at the point of signing (including file names, modes and short SHA checksum hashes). This extra content is added at the end of the tag message,
OK, maybe I'm just not getting it, but the tag *already* contains the file listing you want to add to the tag, implicitly: it refers a commit which refers a tree which refers to exactly those files.
If it ever does not, then we'd all have _way_ worse problems than figuring out how to safely create a t2u tag.
So what would this actually buy us, in terms of additional
safety?
-- -- regards -- -- Matthias Urlichs
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature