Hi, I reviewed the whole thread and the point of friction is the requirement to sign the .dsc file to make sure that the source package matches what the maintainer intended to upload. Ian doesn't want the maintainer to have to deal with the .dsc and the ftpmasters wants to have a signature within the archive to verify that the code that we build is the code that the maintainer wanted to ship.
I have a proposal to get out of this impasse. 1/ When the maintainer generates the git tag, he will sign the tag but he will also sign the output of "git ls-tree -r HEAD" and that signature is stored in the tag long description. This signature will be the basis of the trust that ftpmaster are looking for. 2/ tag2upload constructs a .dsc that embeds a new field where the output of "git ls-tree -r HEAD" is provided (let's call it "Content") and a second field with the signature of the maintainer (let's call it "Content-Signature"). tag2upload signs the .dsc as a whole with its own key. 3/ "dpkg-source -x" is modified to remove any file that does not appear in the "Content" field. It could warn about missing files too (and maybe silently ignore for a few common files that are usually not part of the "make dist"). It could also verify the checksums and complain if they don't match. 4/ dak is modified to also verify the signature in "Content-Signature" 5/ profit, everybody should be happy. Comments are welcome, obviously. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
