Re: Upstream tarball hashes: debian/upstream/*SUMS

To: Alec Leamas <leamas.alec@gmail.com>
Cc: debian-devel@lists.debian.org
Subject: Re: Upstream tarball hashes: debian/upstream/*SUMS
From: Simon Josefsson <simon@josefsson.org>
Date: Thu, 28 Nov 2024 12:53:11 +0100
Message-id: <[🔎] 878qt3y3q0.fsf@kaka.sjd.se>
In-reply-to: <[🔎] eb28f7f9-7e96-471a-8b87-cef9e7a7e1fa@gmail.com> (Alec Leamas's message of "Thu, 28 Nov 2024 11:18:24 +0100")
References: <[🔎] 874j3rzt0v.fsf@kaka.sjd.se> <[🔎] eb28f7f9-7e96-471a-8b87-cef9e7a7e1fa@gmail.com>

Alec Leamas <leamas.alec@gmail.com> writes:

> Hi,
>
> On 28/11/2024 09:01, Simon Josefsson wrote:
>> The checksums will be different when Debian
>> re-pack upstream's source tarball, but there is still value in recording
>> the upstream tarball used as a basis for creating the Debian source
>> tarball
>
> Personally, the few packages I maintain are mostly repacked. Isn't
> there also value in storing the hash of the repacked tarball, the
> thing actually used?

Absolutely, and that was my intention but I can see how it can be read
otherwise -- how about the version below?

/Simon

Source tarball checksums: debian/upstream/*SUMS
===============================================

Checksum files are organized on a per-hash filename basis.

SHA256 checksums are put in a file debian/upstream/SHA256SUMS.

The file MUST contain checksums of the intended *.orig.tar.* archives.
The filenames within the *SUMS file should be the same *.orig.tar.*
filename that will be uploaded into the Debian archive.

Files MUST be parseable by the 2024-era interface of Coreutils checksum
tools such as 'sha256sum -c'.

New checksum values are added for each new upstream release.

Multiple source tarballs is supported, if the Debian package is making
use of that feature.

A checksum of upstream's tarball name MUST also be included, as it is
retrieved by debian/watch.  This normally results in the same checksum
value as for the *.orig.tar.* file.  Having both checksum lines helps to
establish a cryptographic connection from Debian's tarball name to
upstream's tarball name.  The checksums will be different when Debian
re-pack upstream's source tarball, but there is still value in recording
the upstream tarball used as a basis for creating the Debian source
tarball.

Native Debian packages are not supported, as they don't have a
reasonable external upstream that can be checksum'ed.

Adding support for new algorithms is simple, just add a new file.

For backwards compatibility with old tools used in the future, and to
establish a known least-supported base-line, the
debian/upstream/SHA266SUMS file MUST exist if any debian/upstream/*SUMS
files are present, and MUST contain all relevant checksums.

There MAY be checksums of auxilliary files -- such as PGP *.asc or *.gpg
signatures, Sigsum *.proof files, CMS/PKCS7 signatures, Sigstore cosign
artifacts, etc.

Comments are supported by beginning each line with a # character,
optionally preceed by whitespace.

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Upstream tarball hashes: debian/upstream/*SUMS
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Upstream tarball hashes: debian/upstream/*SUMS
  - From: Alec Leamas <leamas.alec@gmail.com>

Prev by Date: Re: Simpler git workflow for packaging with upstreamless repositories
Next by Date: Re: Simpler git workflow for packaging with upstreamless repositories
Previous by thread: Re: Upstream tarball hashes: debian/upstream/*SUMS
Next by thread: Re: Upstream tarball hashes: debian/upstream/*SUMS
Index(es):
- Date
- Thread