Bastian Blank <[email protected]> writes: > But maybe you can answer the question: Given the .dsc file, how can > you, and more critical the public, verify that you and only you signed > that upload?
Why is this, specifically, important? I can turn that question around: given the .dsc file, how can I find the Git tree that the maintainer vetted and intended to upload to the archive? Why should I have any faith in the archive if I cannot verify that? I don't think this is a useful way to talk about the security guarantees that we can provide. You are massively overindexing on a very specific implementation detail that does not prove what you seem to think it proves. -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
