I noticed I made some typos in my previous message. Sorry, I'm tired.
On Mon Jul 21, 2025 at 7:32 PM CEST, Andrea Pappacoda wrote:
I believe this is safe security-wise because the commit id represented the expected status of the pristine-tar branch on the developer's machine is signed at the time of the upload.
I meant "representing" instead of "represented".
If for some reason the branch gets in-between the upload, and the expected commit is lost, things will just fail instead of generating a "wrong" tarball.
I meant "the branch gets **modified** in-between the upload **and the t2u service build**".
