On 4/5/24 12:31 AM, Adrian Bunk wrote:
Hashes of "git archive" tarballs are anyway not stable, so whatever a maintainer generates is not worse than what is on Github. Any proper tooling would have to verify that the contents is equal.... Being able to disregard the compression layer is still necessary however, because Debian (as far as I know) never takes the hash of the inner .tar file but only the compressed one. Because of this you may still need to provide `--orig <path>` if you want to compare with an uncompressed tar. ...Right now the preferred form of source in Debian is an upstream-signed release tarball, NOT anything from git. An actual improvement would be to automatically and 100% reliably verify that a given tarball matches the commit ID and signed git tag in an upstream git tree.
I strongly disagree. I think the upstream signature is overrated.It's from the old mindset of code signing being the only way of securely getting code from upstream. Recent events have shown (instead of bothering upstream for signatures) it's much more important to have clarity and transparency what's in the code that is compiled into binaries and executed on our computers, instead of who we got it from. The entire reproducible builds effort is based on the idea of the source code in Debian being safe and sound to use.
If upstream refused to sign anything but pre-compiled llvm IR, I'd put both the IR and signature in the trash and build from source code.
If upstream wouldn't sign anything but autotools pre-processed archives with 25k lines of auto-generated shell scripts I'd put it next to the IR and build from the actual source code as well.
If upstream would only sign a tarball with files sorted in the order they were returned by their kernel to readdir(), I'd raise the question why we're having this in 2024 (and possibly suggest to use a tar with sorted entries).
Although to be honest if this would really be the only problem we'd be having, I'd likely not care anymore and put my time to better use.
Or perhaps stop using tarballs in Debian as sole permitted form of source.
I'd be fine with that. cheers, kpcyrd