Re: Include git commit id and git tree id in *.changes files when uploading?
On Mon, Dec 15, 2025 at 10:44:08PM -0800, Otto Kekäläinen wrote:
> Hi!
Hi Otto!
> > > To be better able to audit the software supply-chain I have been
> > > thinking that we should have more git info in the changes file, namely
> > > the git commit id it was generated from, and just in case also the git
> > > tree id as well.
> > >...
> > > Has somebody else already been thinking about the same? Do others see
> > > value in this?
> >
> > tag2upload and dgit already do this.
>...
> Are you aware of any attempts to integrate this into dpkg-buildpackage
> toolchain so systems that build .deb packages can have that metadata
> field universally and not just via official Debian uploads via
> tag2upload?
If you want to actually be able to use that for audit purposes, you
might not want to work with the maintainer-specific mess that Salsa is.
Only debian/ or complete sources?
debian/patches/ or patches applied?
One git repository per package, or 1k packages in one git repository?
The contents of a git tag/commit does sometimes not match the
contents of the package in the archive with the matching version.
And a git repository might disappear, or the commit might disappear,
or the commit was never pushed anywhere.
The proper solution would be if we had the git trees in the archive,
in a modern setup where the buildds are integrated in the git hosting
runner infrastructure so that the git CI tests the actual packages.
But until then using tag2upload for your packages might be the best
option for that purpose.
tag2upload ensures that what is in the archive matches what is in git,
and it has a defined interface for going backwards for audit purposes.
cu
Adrian
Reply to: