[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The Difference between debcheckout and dgit and what they try to accomplish

> On Mon 17 Jun 2019 at 06:21pm +0200, Helmut Grohne wrote:
> > Presently, no. I attempted using it, but I feel that the extra
> > complexity did not help my use case. dgit solves a difficult problem and
> > that comes at a cost. Verification of source integrity is much more
> > difficult to understand with dgit (and it presently seems to have a
> > trust root in the ca business). The integrity checking performed by
> > apt-get source on the other hand is quite easily explained (if you
> > assume gpgv).

On this, Sean writes:

> Can I ask whether you think it would help if dgit was more verbose about
> the verification it was doing?  Telling you what the ftpmaster API was
> telling it, or something.

This might be of some use but I don't think it is a real solution for
Helmut.

> The commercial SSL thing is indeed a problem (#790093).

FTAOD: I have a memory that in response to Hector Oron's message #20
in that bug, I did try to have a conversation on debian-admin, but
that I found that conversation very frustrating.  I did not feel that
the DSA members I was talking to were listening very well.  Probably,
they felt I was rude.  I gave up. [1]

I would really appreciate it if someone else (who understands the
problem) would have a go.

Hector: If it would be useful to you, I could tell you a set of dgit
configuration settings to have it use the apt repository fetching
method.  That would rely, therefore, on the existing apt dsc
verification system (based on Release files etc.), and not on the
ftpmaster api service.

This is not the default because (1) it means downloading the whole of
the Sources for a distribution just to obtain one package and (2) it
has a much greater risk of skew due to getting stale data.  If more
people want this mode of operation I could provide a more cooked way
to specify it, although I think it is suboptimal to fixing #790093.

> >  I
> > occasionally look into history of packages to figure something out. For
> > this case, dgit is not useful due to its low adoption and being young.
> > On the other hand, debian/changelog often suffices here.

dgit is not young.  It was invented in August 2013 in Vaumarcus by
Joey Hess and I.  So it is nearly 6 years old.

Low adoption of "dgit push" is indeed a serious problem.

> For the history thing, after you `dgit clone`, `git fetch vcs-git` will
> get you the maintainer's history for browsing.  That's about as easy as
> debcheckout.

It's not really what Helmut wants, though.

Ian.

[1] I don't appear to have saved a transcript of the conversation.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Reply to: