1 files changed, 20 insertions, 0 deletions

diff --git a/infra/dgit-repos-policy-debian b/infra/dgit-repos-policy-debian
index cb69211..0566285 100755
--- a/infra/dgit-repos-policy-debian
+++ b/infra/dgit-repos-policy-debian
@@ -313,6 +313,26 @@ sub getpushinfo () {
 sub deliberately ($) { return $deliberately{"--deliberately-$_[0]"}; }
 
 sub package_questionable_head_msg () {
+    # This lets us reuse some of the same code, and the same message,
+    # for checking during actual push, and for pre-push taint check.
+    #
+    # In principle it might be nicer to unify this code, with some
+    # kind of super realistic dry run push function.  However, that
+    # dry run function would have to involve sending the client's git
+    # objects to the server.  We wouldn't want to do that twice, so it
+    # would have to be cached somehow, but we don't want to allow
+    # un-signed things to lurk about on the server.  (The super dry
+    # run mode would have to involve the server tolerating an unsigned
+    # tag, or something, but that would be OK in principle.)  The dry
+    # run mode would have to be careful about what subsets of the
+    # actions it took.
+    #
+    # So instead we apply ad-hoc checks, with separate implementations
+    # for the push path, and the pre-push checks.  The tainted-objects
+    # policy-client-query exists to support this: it allows the
+    # efficient reimplementation of the tainted objects check, without
+    # transferring the objects to the server.
+
     return undef unless $pkg_exists;
     return undef unless $pkg_secret;
     # TODO: ideally this would be translated at the client end but