Source: dgit
Version: 11.8
Severity: important

Dear maintainer,

As discussed elsewhere, we want source= and version= tags in the
tag2upload metadata to prevent the possibility of a certain form of
attack by someone who is able to replace git objects on salsa.

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmYcjmEZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQJOoD/4vVhjopMIT42cNU30KnOZu RsT3A/j5t6H9KINSmYh5yxvWHElTMGlGasWgZYWcVloC+OpnPO8g03j8zJQkHZe8 xGSfXMkXcSVBrKF4AdiC92hEyEM1c8UHZzU6OnDmj3JbN+gH1wDvpvbutY9SgjiW VqqQnwOVc+rkdsGZf2HLoinBzQ2zRKSEB+1At4tfhQpzbkPWp/PcVwoJAiiDtUsr 42PKQMpUVPiyKJGnoLSqj1rqTyZPWdp0p1fPuudNy5OtEwkF2nS4IucwsOWDqrwd YzVxkWa8oUYhFfEPL8DxmxeXZksxo1msIFPzBIRABlT1Ssp6DkjZgfKbu5CvETzz QmqVkdSvfB7iHNx9Gwn97CpmgZhYkxG6DKVSmVJcM6n4agfMFE2d3BReu2UmKKem RPDRP1n4bpCIc14rwHSaKupSjrPunabxrO/twhUre3Pz59EQuPDNmMCwZPhQS6GX 5iiZOwm8K2guJmVV1wOKm3ZOysSRzChms24DZGMWrvVsfYc/fBC7U5x/r1QPqCNY JlXRkGJGArIz4C+v15YurrKwzRp70heTNa50SKDQ+aQi+tMAe6PRVsEcuC2GBMrk H3nHwqOxz0l6l934IwGgruj7XdI0h/oPV9M6a0fLJJf2cmuTC1Yn8ntVsk3DsTye vIE0WT1UIN4tbbPsYBPQ4g='VE
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usen

Sean Whitton writes ("Bug#1069001: dgit: tag2upload: [dgit ...] should include source= and version= fields"):

As discussed elsewhere, we want source= and version= tags in the
tag2upload metadata to prevent the possibility of a certain form of
attack by someone who is able to replace git objects on salsa.

It should include the target suite too. Then it specifies everything
except the tree contents.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)