Hi Ian, On Mon, Oct 28, 2019 at 05:53:00PM +0000, Ian Jackson wrote: > The sticking point, as I understand it, is that this still does not > allow dak to verify that the *contents* of the .dsc were as intended > by the uploading human. [0] > > In the tag2upload proposal, the conversion from git tag to dsc is > `merely' done by an official Debian service on an official Debian > machine, and is `merely' fully reproducible and auditable. > > But this is not good enough for some ftpmasters, who want that > verification to be done *by dak*. Various people attempted in the > previous thread on this topic to find out *why* this is thought > important, without apparent success.
I fear I'll have to side with "some ftpmasters" here. As a user, I also want this verification work in both ways. Going from tag to upload is insufficient in my view. What I want is "apt source" with history. This is not debcheckout. I want the exact tree (tag) that matches unstable including its git history in a way that exactly reproduces the build failure seen on the source package. In other words, I want these formats (source package and tagged git tree) to be isomorphic (minus history). This requirement is too strong since not every source package will have a corresponding tag, but when there is a tag, I want to safely go from source package to tag and back again and arrive where I started from. This property allows me to start from a git tree that is authenticated by dak rather than a random git tree on a random git server of questionable origin. This backwards-connection seems to be missing thus far, but I do find it important for the reasons above. Adding it would easily allow dak to validate the signature on the tag. Helmut
