Hi Daniel, On Wed, Feb 27, 2019 at 12:03 PM Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > > I guess if we wanted some version of lintian to be able to check on the > git tag, we need to have some sort of export (git shallow > something-or-other?) that could be included in debian/ to recreate a git > repo that would be sufficient to verify the contents of the files and > confirm the git signature.
I wrote a Debian tool to create a shipping manifest with file-based hashes. Would it help to include that at the time of packaging? If the manifest is signed, we could do away with tarball signatures. Felix
