On Tue, Mar 08, 2016 at 05:10:53PM +0100, Andreas Tille wrote: > On Tue, Mar 01, 2016 at 06:21:18PM +0000, Mattia Rizzolo wrote: > > Also, can you please use signed tags? with gbp is just a metter of > > adding 'signed-tags = True' in ~/.gbp.conf :) > > If we would like to make this the default in the Debian Med team this > should be added to the policy.
My dreams a bigger: I'd like to see using a standardized git repository
for all packages in the archive mandatory, and usage of signed tags
mandatory too.
Then, this is Debian, I know something like that will likely never
happen anytime soon ;)
> I personally do not see any extra value
> by signed tags since what finally matters is a signed upload. But if
> others think its a good idea I don't mind.
I'd like to trust git repositories. I'd like to be sure that a tag in a
git repository is *exactly* what has been uploaded to the archive.
Currently when I work out of git repository I don't know about I always
need to double-check whether what is in the repo is what is in the
archive, by `debuild -S` out of the repository and debdiff against
what's in the archive. It's annoying. I want to trust that a git tag
signed by a key I trust (let's assume I trust all of debian-keyring) is
enough by itself, and I don't need to double check anything.
Considering that I'm seeing git tags done just about randomly, and them
hardly matching what's uploaded, I think we're still far to go. [0]
The fact that DPMT moved to mandate git-dpm, when it doesn't even
support signed tags, doesn't help my evil plan :)
[0] To be clear, that's a general statement, I don't recall if what I
saw was in -med or somewhere else.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: http://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
