On Tue, Oct 22, 2019 at 07:33:47AM -0400, Sam Hartman wrote: > My initial reaction is that this is additional complexity in a direction > that we don't need.
It is not a question of complexity. It is a question of trust and who we want and need to trust. If we abolish the principle that we want to need little trust as possible and be able to verify all the steps within the archive, then we don't actually need the complexity. But someone needs to stand up and proclamate exactly that. This is what no-one did. It we don't want to do sacrifica that, we have to stick to a chain of trust. > Like Russ, I generally assume that VCS-like things are the future. > I understand there is complexity there. What is "VCS-like"? Please define it. A source package is no VCS, it does not need to be. E.g. dgit is not a VCS-like source package, as it solves a different purpose to a source package we ship in the archive to all our users. Because we are running around this concept for some time now, please help me to actually understand what you mean with it. > But I don't understand why this proposed format would be a step forward > in a world where we care more about VCSes. As an example, I don't > understand how this would make things better for tag2upload. We had that discussion already, it is about the possibility of reproducing the content of the upload. The tag2upload proposal said they can't do it and everyone need to trust this service to do the right thing. I like to solve this problem and allow such a tool/service to forward the trust information by reproducing the output. > I don't think this proposal is sufficiently well developed where you're > going to get much good feedback on debian-devel. What would be the correct location for it? Regards, Bastian -- Those who hate and fight must stop themselves -- otherwise it is not stopped. -- Spock, "Day of the Dove", stardate unknown