======

policy hooks:

 - cron check thing
     implement `(always)' above
 - in dispatch, on check or push, during package selection
     implement `(always)' above

 - in dgit-repos-server, run policy hook after parsing tag
      but before ff check; passing policy hook the deliberatelies
      policy hook may:
        - if appropriate blow away existing repo, copy old taints and add taints
        - check taints
        - fail if unused deliberatelies
        - indicate to parent whether to disregard ff check
        - remove taints which were overridden

on push encode --deliberately in tag as lines
  [dgit --deliberately-blah]

======

Want some invariants or properties

 - .dsc of published dgit package will have corresponding publicly
   visible dgit-repo (soon)

 - when a new package is rejected we help maintainer avoid
   accidentally including bad objects in published dgit history

 - .dsc of NEW dgit package has corresponding dgit-repo but not
   publicly readable