Guido Guenther wrote:
Hi Joey, I just came across you blog post and just wanted to add to more things in favour of a .git.tar.gz:
Git supports signed tags, so the release of a Debian package could consist of pushing to git.debian.org and generating a signed changes file containing the package name and the tag name - the buildds would then simply clone the repository from git.debian.org, verify the tag (git-tag -v ) given in the changes file, checkout the tag, and build the package.
No shifting around of huge packages needed: the buildds could cache an arbirtrary number of (the quiet space efficient) git repositories and simply run git-pull when they receive a new changes file to process.
we'd have the whole history of every package around and this whole history is protected by the SHA hashes - this and finally disallowing packages built on arbitrary machines into our archive so that every package gets build by a buildd would improve security considerably and i'd finaly become much harder to get a trojaned binary into the archive.
backports.org could simply clone the central repository and build the backports on specific branches exploiting another nice feature of distributed version control.
Cheers, -- Guido