[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Standardizing the layout of git packaging repositories

Thomas Goirand <zigo@debian.org> writes:
> On 08/16/2014 07:05 AM, Jeremy Stanley wrote:

>> However upstream may build tarballs through a (hopefully
>> repeatable/automated) process at release time, publish checksums and
>> signatures for them, et cetera and prefer packagers use those as the
>> original tarballs for official release versions.

> And then? If I prefer to use their git repository, and create my own
> orig.tar.xz out of a signed git tag, what is the problem, as long as I
> use the tag they provided by upstream?

Suppose someone wants to check (possibly as part of a forensic
investigation) that the source in Debian matches the source released and
signed by upstream.  If you reuse the upstream tarball, the signature is
valid, so this is as simple as verifying the Debian *.orig.tar.xz file
against the upstream signature or a checksum of a good copy of the
upstream source.  If you regenerate the tarball, those checksums are no
longer valid, and now someone has to unpack both tarballs and compare all
of the files (and, depending on what they're checking, permissions and
other metadata) individually.

It's not a huge advantage, but for me at least it's a quality of
implementation issue to base the packaging on the tarball as released,
instead of on a tarball generated from the same file tree.

> Also, what if I need to build a Debian package out of an upstream
> commit, because there's some bug fixes which I need, but there's no
> upstream tarball available?

Then obviously these issues don't apply.  :)

> Generally, upstream don't provide checksums, even less provide PGP
> signatures, while tags in git repositories are often pgp signed (and I
> collected a bunch of signatures already in my ring).

I'm surprised that upstreams that sign their Git tags don't sign their
tarballs.  My experience is the opposite: signed tarballs are more common
than signed Git tags, at least for upstreams that do tarball releases at
all.

> And often, upstream include in the tarball artifacts which we do not
> need, like generated files and so on.

This is true, and opinions differ about the tradeoff there.  I personally
prefer to upload the source as released by upstream, including those
artifacts, to Debian, because I don't know how people who pull the source
from Debian might want to use it.  Yes, *we* don't need those artifacts,
but maybe someone wants to do an apt-get download and then run ./configure
and make for some reason without using the Debian packaging.

Basically, I see no harm, only a small amount of additional work once
pristine-tar and git-buildpackage are set up properly, and a moderate gain
to basing packaging on the upstream tarball as released.  I also do this
for packages for which I'm upstream.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: