Le mercredi, 23 octobre 2019, 15.49:11 h CET Theodore Y. Ts'o a écrit :
> On Wed, Oct 23, 2019 at 11:18:24AM +1000, Russell Stuart wrote:
> > On Tue, 2019-10-22 at 16:52 -0700, Russ Allbery wrote:
> > > That seems excessively pessimistic. What about Git makes you think
> > > it's impossible to create a reproducible source package?
> >
> > Has it been done? Given this point has been raised several times
> > before if it hasn't been done by now I think it's reasonable to assume
> > it's difficult, and thinking that it's so is not excessively
> > pessimistic.
>
> Generating a reproducible source package given a particuar git commit
> is trivial. All you have to do is use "git archive". For example:
When talking about upstream projects, sure.
But generating Debian source packages (.dsc and friends) from a
`debian/master` (+ `pristine-tar`) reproducibly is not really, right?
As far as I understand, `gbp buildpackage -S` is the closest we have, but so
far, I fail to get it to give me the bit-by-bit identical unsigned .dsc that
I'd like to get. What am I missing?
(A little digresssion…)
Where I'm coming from is that we were discussing the tag2upload problem at
miniDebConf Vaumarcus. The heart of the problem is that FTP-Master are
(currently) not going to accept .dscs built reproducibly by a (even trusted)
service. tag2upload is built on the idea that a signed git tag is the only
needed thing (`git tag -s`) to trigger an upload, and that is not going to fly
currently.
The solution that seemed obvious during the discussion [0] is to instead rely
on a local tool to produce a git tag with significantly more metadata (such as
.dsc signature, _source.changes signature); and reconstruct the a signed set
of .dsc and _source.changes automatically (as last pipeline step in Gitlab
CI), which are then acceptable by the archive.
In other words, its "tag2upload", but with a reproducible way to:
- build a source package on developer machine;
- sign it locally;
- create and push a special git tag
Then, in a different environment (such as a GitLab CI pipeline step), given a
special git tag and a repository;
- build the exact unsigned same source package
- unpack the special git tag;
- apply the signatures to get the exact same signed source packages;
- dput to the archive.
The hard part is not the packing and unpacking of the special tag; that's
mostly just strings massaging. But building the exact same source package in
different environments is harder than I expected.
Some caveats:
- Q: if you built and signed the source package locally, why not uploading?
A: Because you might want to only upload _after_ automated tests, and in an
unsupervised manner.
- Q: If one can fit pgp signatures in a git tag; why not inlining the complete
.dsc and _source.changes?
A: Indeed. You still need the debian.tar though.
- Q: What about Dgit: in the .dsc, or buildinfo files?
A: Currently optional; could just be left out for a prototype.
Of course, all of this can only work if we can have, or make the ".git to
.dsc" conversion reproducible; hence my query.
All-in-all; would this be a welcome mechanism?
OdyX
[0] It probably was already considered.Attachment:
signature.asc
Description: This is a digitally signed message part.