On Sun, Aug 15, 2010 at 03:08:42PM -0700, Russ Allbery wrote: > Roger Leigh <rleigh@codelibre.net> writes: > > Essentially, *everything* stays in git from upstream to distributed > > releases to debian work and releases and also to downstreams. There's > > no import of release tarballs because they are in git too, and there's > > no pristine tar because the GPG-signed tag of the distribution *is* the > > release. Currently what an upstream releases as the tarball might not > > exactly match the release in the VCS (due to autotools bootstrap, other > > generated files etc.) so here "make dist" actually makes a separate > > "distribution" branch (as opposed to release) so you have a natural set > > of branches: > > development → release → distribution → debian →→ downstream > > and at each step you have GPG-signed tags giving you an auditable > > chain of trust along the path. > > Does any upstream do that yet? Not yet, but I'm planning on doing so. I wrote the logic last year, but didn't get around to actually putting it to use. I finally injected all of the distribution history into schroot last night to test it for real: http://www.mail-archive.com/automake@gnu.org/msg16384.html http://www.codelibre.net/~rleigh/schroot-dist-gitk.png In the above example, we go release|debian → distribution since it's effectively Debian native. For others, we would go release → distribution → debian [ → downstream… ]. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Attachment:
signature.asc
Description: Digital signature