Hi Sean, On Wed, Jun 12, 2024 at 06:25:02AM +0800, Sean Whitton wrote: > BEGIN FORMAL RESOLUTION TEXT > > tag2upload allows DDs and DMs to upload simply by using the > git-debpush(1) script to push a signed git tag.
Question. Does the tag signer need to trust the remote vcs and its admins at the moment of tag signing? With a .changes file the signer has full local control: local source code inspection, local checksums generation, and local signing. I wonder how tag2upload would offer this level of control without lowering the value of the signatures. Cheers, Bart
