[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#840523: debian-installer: undefined source format; .git/ may end up in source tarball

Package: src:debian-installer
Version: 20160704
Severity: important
Tags: patch

Hi!

Suppose a debian-installer source package is produced this way:

$ debcheckout debian-installer
$ cd debian-installer
$ debuild -S
[...]
dpkg-source: warning: no source format specified in debian/source/format, see dpkg-source(1)
dpkg-source: warning: source directory 'debian-installer' is not <sourcepackage>-<upstreamversion> 'debian-installer-20160704'
dpkg-source: info: using source format '1.0'
dpkg-source: info: building debian-installer in debian-installer_20160704.tar.gz
dpkg-source: info: building debian-installer in debian-installer_20160704.dsc

In source format 1.0, dpkg-source does *not* exclude the .git/ directory
from the generated tarball!  So if you built the source package that way,
your Git working tree's refs and config are all included in the upload,
which happened with my uploads here:
http://ftp.debian.org/debian/pool/main/d/debian-installer/debian-installer_20150422+kbsd8u2.tar.gz
http://ftp.debian.org/debian/pool/main/d/debian-installer/debian-installer_20150422+kbsd8u2+deb8u4.tar.gz

Note that source format 1.0 is only used because one is not specified in
debian/source/format.  dpkg-source(1) recommends to specify a version and
the lack of a debian/source/format file may be considered an error in
future.

dpkg-source(1) also recommends choosing a newer format.  3.0 (native)
by default already excludes VCS directories such as .git/ from the
generated tarball, already fixing the issue above.

3.0 (native) does however default to .tar.xz compression, rather than
.tar.gz as used at the moment.  I'm not sure if that may be an issue for
other tools.  Maybe they should be fixed in that case.  Or _if_ it's
preferred to still use .tar.gz, that could be specified in
debian/source/options:
    compression = "gzip"

Attached is my proposed patch, for consideration.

Thanks!

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: kfreebsd-amd64 (x86_64)

Kernel: kFreeBSD 10.1-0-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

>From d74e62562b5814a496ff485c4ba4f6bbfa542a50 Mon Sep 17 00:00:00 2001
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Wed, 12 Oct 2016 12:47:02 +0000
Subject: [PATCH] Switch to dpkg-source format 3.0 (native)

By default this will also exclude VCS directories like .git/ from the
generated source tarball.

This changes the default compression from .tar.gz to .tar.xz also.
---
 debian/source/format | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 debian/source/format

diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
-- 
2.1.4
Reply to: