On 21/03/19 at 18:57 +0100, Joerg Jaspert wrote: > Also, it will be a drastical change and has many far reaching > consequences and needs lots of work nefore we are near it.
I'm probably missing something, but it doesn't sound like a lot of work to me? It's "just" a service that: - gets notified of the existence of a git repo + tag to upload - fetches that git repo + tag - checks signature / confirm that the GPG key owner is allowed to upload that package - build a Debian source package - uses a slightly different path to accept the source package (because the .dsc and .changes wouldn't be signed) This could exist in parallel to the current upload scheme. And it's a terrible idea, but it could even be implemented as a third-party service, run by a DD that would do that and sign+upload the source package using the DD's own GPG key. Lucas
