Package: git-debpush Version: 13.15 Severity: wishlist Dear Maintainer,
Thanks for tag2upload - it's a great solution! It would be nice if the shallow git clone (*.git.tag.xz) retained the signature of upstream tags as it does the signature for the debian tag in order to allow the provenance of the upstream code to be verified after upload. Even better would be if other tooling in the ecosystem supported this verification. It is a shame that any package where a signed tag is the canonical upstream representation of a release appears unverified within Debian, leading to the inevitable orig-tarball-missing-upstream-signature lintian tag, even though maintainer tooling will have checked this at an early stage. Here is an example of such an upload, where the upstream tag was signed and for good measure pushed to salsa before git debpush: https://tag2upload.debian.org/job/1094 $ git debpush --upstream=v0.7.1 git-debpush: fetching from [email protected]:debian/xchpst.git to check existing state Enter passphrase for key '/home/andy/.ssh/id_rsa': git-debpush: making signed tag 'debian/0.7.1-1' git-debpush: pushing to git remote 'salsa' Enter passphrase for key '/home/andy/.ssh/id_rsa': Enumerating objects: 1, done. Counting objects: 100% (1/1), done. Writing objects: 100% (1/1), 951 bytes | 951.00 KiB/s, done. Total 1 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0) To salsa.debian.org:debian/xchpst.git * [new tag] debian/0.7.1-1 -> debian/0.7.1-1 $ git tag --verify v0.7.1 object b13c1ea7940ca96599d55efe4e35b9ec3922627b type commit tag v0.7.1 tagger Andrew Bower <[email protected]> 1758349871 +0100 xchpst release 0.7.1 gpg: Signature made Sat 20 Sep 2025 07:31:11 BST gpg: using RSA key 30A6192FA2C8E79967706D75BAA80ED96F7887E9 gpg: issuer "[email protected]" gpg: Good signature from "Andrew Bower <[email protected]>" [ultimate] gpg: aka "Andrew Bower <[email protected]>" [ultimate] Primary key fingerprint: 06AB 786E 936C 6C73 F6D8 130C 4510 3394 30FC 9F34 Subkey fingerprint: 30A6 192F A2C8 E799 6770 6D75 BAA8 0ED9 6F78 87E9 I understand this is a replace-point in the git clone included in the archive but the commit hash is the same as the upstream tag so I wonder if there is an approach that would work? There is a considerable gap in my understanding of the mechanics here so apologies if the suggestion is nonsensical when one understands dgit and friends... Thanks, Andrew -- System Information: Debian Release: forky/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.16.5+deb14-amd64 (SMP w/24 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages git-debpush depends on: ii git 1:2.51.0-1 ii gnupg 2.4.8-3 ii libdpkg-perl 1.22.21 git-debpush recommends no packages. git-debpush suggests no packages. -- no debconf information
