Git packaging for orig.tar.gz style packages

[Sam Vilain]

Kumar Appaiah wrote:
> So, according to Martin, there really is no sanctity about providing
> the upstream provided relase tarball as .orig.tar.gz, as long as both
> provide identical content. Of course, I don't think that would still
> prevent me from keeping the upstream tarball inthe parent directory
> anyway during the build, to retain the satisfaction of using the
> upstream tarball as the .orig.tar.gz.

To provide an audit trail, it may be worth having people sign tags that
they extracted tarball with SHA1 sum X, which resulted in tree Y.

In git you don't have to tag commits, you can tag trees too - so you
could in principle have tags named like the tarballs they import, with
the information about what they were extracted from put in the tag message.

People could even repeat the operation by confirming that they extract
the tarball, get the same contents and then add their signature to the
tag (note: this isn't currently directly supported in git; you'd have to
make a new tag with both signatures on it, and then arrange for the
repository to allow for signed tags with additional signatures to
replace the original).  Think two people turning their keys at once on
the money vaults.

Sam.