[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Notes from the DebConf Source Format BoF

On Sun, Aug 15, 2010 at 03:08:42PM -0700, Russ Allbery wrote:
> Roger Leigh <rleigh@codelibre.net> writes:
> > Essentially, *everything* stays in git from upstream to distributed
> > releases to debian work and releases and also to downstreams.  There's
> > no import of release tarballs because they are in git too, and there's
> > no pristine tar because the GPG-signed tag of the distribution *is* the
> > release.  Currently what an upstream releases as the tarball might not
> > exactly match the release in the VCS (due to autotools bootstrap, other
> > generated files etc.) so here "make dist" actually makes a separate
> > "distribution" branch (as opposed to release) so you have a natural set
> > of branches:
> >   development → release → distribution → debian →→ downstream
> > and at each step you have GPG-signed tags giving you an auditable
> > chain of trust along the path.
> Does any upstream do that yet?

Not yet, but I'm planning on doing so.  I wrote the logic last
year, but didn't get around to actually putting it to use.  I
finally injected all of the distribution history into schroot
last night to test it for real:


In the above example, we go release|debian → distribution since
it's effectively Debian native.  For others, we would go
release → distribution → debian [ → downstream… ].


  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Attachment: signature.asc
Description: Digital signature

Reply to: