Package: dgit-infrastructure
Version: 9.5
User: d...@packages.debian.org
Usertags: rsn
Quoting myself:
It would probably be worthwhile checking critical fields, so that the
signer cannot be tricked into signing things that the original
git-debpush user could not have done. I looked at the code and I
think this is
1 we need a slightly stronger syntax check for the Maintainer
when we construct the git tagger line
2 we should cross-check the source package name in all
relevant places
3 it would be easy to cross-check the version too.
1 is easy. 2 involves dgit rpush honouring -p. 3 means a new version
option I think.
We should also check the syntax of all the signed things are right. I
think this means feeding eg buildinfo and changes and dsc to a deb822
parser, which we probably mostly already do.
None of this is particularly difficult.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
