Package: dgit-infrastructure Version: 9.5 User: d...@packages.debian.org Usertags: rsn
Quoting myself: It would probably be worthwhile checking critical fields, so that the signer cannot be tricked into signing things that the original git-debpush user could not have done. I looked at the code and I think this is 1 we need a slightly stronger syntax check for the Maintainer when we construct the git tagger line 2 we should cross-check the source package name in all relevant places 3 it would be easy to cross-check the version too. 1 is easy. 2 involves dgit rpush honouring -p. 3 means a new version option I think. We should also check the syntax of all the signed things are right. I think this means feeding eg buildinfo and changes and dsc to a deb822 parser, which we probably mostly already do. None of this is particularly difficult. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.