Daniel Kahn Gillmor writes ("Re: Discussion on eventual transition away from
source packages"):
> On Fri 2019-03-22 09:32:55 +0100, Lucas Nussbaum wrote:
> > I'm probably missing something, but it doesn't sound like a lot of work
> > to me? It's "just" a service that:
> > - gets notified of the existence of a git repo + tag to upload
> > - fetches that git repo + tag
> > - checks signature / confirm that the GPG key owner is allowed to upload
> > that package
>
> In case anyone is considering trying to do this, please be aware that
> there are several non-obvious subtleties involved in "verifying a git
> tag".
Indeed. The git and gnupg tooling is quite awful. Last I looked at
this, git tag -v was so bad as to be unuseable. I ended up writing
dozens of lines of code to manually pick apart the tag and feed the
results to gpgv (and to work around infelicites in gpgv).
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
