Hi Sam On Wed, Aug 28, 2019 at 09:42:56AM -0400, Sam Hartman wrote: > During the DPL campaign, a number of people, including Joerg, made > statements that I interpreted as explicitly wanting to make this change. > That is, they wanted to move our authoritative source format to Git, > possibly even getting rid of dscs in the medium future.
Maybe they should step up then and we can start discussing the larger goal. Because in the end they all need to solve the same problems. We have to decide what guarantees the Debian archive should provide in terms of verifyability. This is however independent from the question if there is Git involved or not. And after both npm[1] and rubygems[2] managed to provide trojaned binaries, it's more pressing then ever. > At least in my mind, this is all predicated on believing that moving > away from today's dscs toward git as authoritative source is actually a > good idea. What do you mean by "authoritative source"? buildds should now download a git repo, checkout the given sha1 and build it? This means we can now use gitlab-ci to build it, yeah! However we often need to ship immutable source for license reasons, sometimes even near the binaries. So in some cases we can't refer to an external Git repository. How do you suggest we would handle them? Currently the archive certifies the included source by signing the Release file. By retrieving the tar and verifying the checksum you can be sure you've got the exact source that was included. Do you know what you have to do to actually get the same with Git? > If you don't believe that, then you're never going to like this proposal > at all. I even provided the outline of a counterproposal providing almost the same flexibility, but without sacrifice the current guarantees we have: converting the git repo reproducibly into immutable source that we can ship similar to what it is like now. It just needs a special formatted and signed tag (plus some source format changes to get rid of pristine-tar). > I guess you could decide you want tag2upload somehow even though you > don't want that transition. This thread is about _how_ it can be done, not if. Bastian [1]: https://github.com/dominictarr/event-stream/issues/116 [2]: https://github.com/rest-client/rest-client/issues/713 -- Superior ability breeds superior ambition. -- Spock, "Space Seed", stardate 3141.9
