On Wed, Aug 28, 2019 at 04:00:10PM -0400, Sam Hartman wrote:
>
> But if we're thinking that people will be working in Git, another way
> to do this is to merge in a signed upstream git tag. Then you can
> perform a diff against that git tag.
One of the things to consider is how we should handle cases where
upstream does not sign the git tag, but *do* sign the tar.gz files.
Or if we end up moving to dgit for everything, and we don't want to
use pristine-tar (which I like, but I realize that's not an opinion
shared by everyone; some people seem to hate it), and upstream uses a
non-git repo (say, bzr, or hg) and still uses signed tar.gz files, I'd
argue we need to have a good way to reserve the cryptographic
signature of upstream's foo.tar.gz and foo.tar.gz.asc in a dgit-only
world.
- Ted
