Re: Detached upstream signature and git packaging

To: Maximiliano Curia <maxy@debian.org>
Cc: Development of Debian <debian-devel@lists.debian.org>, Raphael Hertzog <hertzog@debian.org>, Tomasz Buchert <tomasz@debian.org>
Subject: Re: Detached upstream signature and git packaging
From: Guido Günther <agx@sigxcpu.org>
Date: Wed, 2 Aug 2017 21:54:41 -0300
Message-id: <[🔎] 20170803005441.ghsjlpjlso4y34zg@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Maximiliano Curia <maxy@debian.org>, Development of Debian <debian-devel@lists.debian.org>, Raphael Hertzog <hertzog@debian.org>, Tomasz Buchert <tomasz@debian.org>
In-reply-to: <20170731145720.6jccnhgmyr4gcfyi@neoptolemo.gnuservers.com.ar>
References: <20170731145720.6jccnhgmyr4gcfyi@neoptolemo.gnuservers.com.ar>

Hi,
On Mon, Jul 31, 2017 at 04:57:22PM +0200, Maximiliano Curia wrote:
> Hi,
> 
> TL;DR We need to define a way to store detached upstream signatures in git.
> I'm including a proposal, suggestions welcome.
> 
> Not too long ago both uscan and dpkg-source added support for detached
> upstream signatures, that is: a signed pgp signature for each upstream
> released tarball.
> 
> For this to be of any use, the source package needs to ship the keyring of
> the upstream public keys (debian/upstream/signing-key.{asc,pgp}), with that
> uscan can check the validity of the tarball.
> 
> dpkg-source can also add the detached signatures in the corresponding
> changes files and upload them as part of the source package, this way these
> could be published in the archive and checked by our users.
> 
> So far so good, but for packagers that work on git repositories to handle
> their packages there is no defined way to handle/store these "extra" files.
> 
> Using the usual git-buildpackage workflow (or equivalent git workflows)
> maintainers prepare new upstream releases relying on pristine-tar so that
> the released tarball can be generated from the git information.
> 
> We need a similar mechanism to store the detached upstream signatures, a
> simple approach could be to simply store the detached signatures in the
> pristine-tar branch, and export these files when checking out the orig.tar.
> This would mean to modify pristine-tar commit and checkout actions to take
> into account the orig.tar.{$ext}.{asc,pgp} files.

We could also store it in the upstream tag message when importing the
tarball but having it on pristine-tar looks nicer. Will you file
wishlist bug against pristine-tar?
Cheers,
 -- Guido

> 
> Alternatively, we could use a different branch for these signatures, and
> avoid meddling with pristine-tar, but this would add useless overhead.
> 
> Happy hacking,
> -- 
> "EIEIO	Go home and have a glass of warm, dairy-fresh milk"
> -- The GNU C Library Reference Manual, Chapter 2.2, Error Codes
> Saludos /\/\ /\ >< `/

Reply to:

Follow-Ups:
- Re: Detached upstream signature and git packaging
  - From: Tomasz Buchert <tomasz@debian.org>

Prev by Date: Re: Bug#798476: Returning to the requirement that Uploaders: contain humans
Next by Date: Bug#870587: ITP: golang-github-cheekybits-is -- A mini testing helper for Go
Previous by thread: Bug#870571: ITP: avro-c -- Apache Avro C
Next by thread: Re: Detached upstream signature and git packaging
Index(es):
- Date
- Thread