let us assume that it is not possible for new to have a version older than sid Whenever pushing, check for source-package-local tainted history global tainted history can be overridded by --deliberately except for an admin prohib taint ALL of the following apply only if history is secret if NEW has a version which is in our history[1] (on push only) require explicit specification of one of --deliberately-include-questionable-history --deliberately-not-fast-forward (will taint old NEW version --d-i-q-h) (otherwise) leave it be if NEW has no version, or a version which is not in our history[1] (always) check all suites if any suite's version is in our history[1], publish our history otherwise discard our history, tainting --deliberately-include-questionable-history [1] looking for the relevant git tag for the version number and not caring what that tag looks for ====== Want some invariants or properties - .dsc of published dgit package will have corresponding publicly visible dgit-repo (soon) - when a new package is rejected we help maintainer avoid accidentally including bad objects in published dgit history - .dsc of NEW dgit package has corresponding dgit-repo but not publicly readable