Bastian Blank writes ("Re: tag2upload (git-debpush) service architecture -
draft"):
> We discussed a bit within the ftp team and several points came up. The
> following describes my interpretation of it:
>
> The archive will need to do the final validation to check if an upload
> is accepted. The uploaders signature would need to be added to the
> source package to allow checking the validity also in the future. We
> already retain all user signatures of source packages in the archive and
> such a proposed service must provide the same level of possible
> verification.
I can certainly include a copy of the git signed tag object. This
would require a modest change to dak to accept the new filename. Can
you please tell me what filename would be good ?
> The signature needs to be collision resistant and needs to be verifyable
> with only the stuff included into the source package. The git object
> checksums don't suffice anymore due to SHA1. And as the world moves
> towards SHA3, it will need to have the ability to follow. The output of
> all operations obviously needs to be reproducible to be signed.
The git signed tag object has a signature which is verifiable without
relying on the git object hash system. The tag text directly contains
the source package name, and version, and intended upload target.
> I don't know if any of this requires a new dpkg source format to
> implement properly.
I don't think so.
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
