Sam Hartman writes ("Re: tag2upload (git-debpush) service architecture -
draft"):
> Sean Whitton <spwhit...@spwhitton.name> writes:
> > Okay, thanks.
>
> > I think that the Git-Tag-Info field solves this. With that
> > field available, anyone can do the following to perform an
> > equivalent verification:
>
> > 1. fetch the .dsc from the archive
>
> > 2. fetch, from dgit-repos, the tag given in the Git-Tag-Info
> > field of the .dsc
>
> This violates the "no external data" requirement above.
This requirement can be met (as I mentioned before) by including the
tag object data as a file in the upload (listed in .changes). The
signature can be verified without any further data. A git bundle is
not needed.
I just need to know what filename I should give it.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
