Re: Include git commit id and git tree id in *.changes files when uploading? [and 1 more messages]

To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: Lucas Nussbaum <lucas@debian.org>, debian-devel@lists.debian.org, Nikolaus Rath <Nikolaus@rath.org>
Subject: Re: Include git commit id and git tree id in *.changes files when uploading? [and 1 more messages]
From: Simon Josefsson <simon@josefsson.org>
Date: Wed, 07 Jan 2026 13:03:58 +0100
Message-id: <[🔎] 87cy3ld3yp.fsf@frallan.josefsson.org>
In-reply-to: <[🔎] 26974.16203.103973.923192@chiark.greenend.org.uk> (Ian Jackson's message of "Wed, 7 Jan 2026 11:11:07 +0000")
References: <CAOU6tAA3RUZuC3JKhab0tZOFpTWWWdVzQceiY6coWRiqK5ruWQ@mail.gmail.com> <c295c88a-6d2d-4ef5-a02b-6f8449d7515d@debian.org> <CAOU6tAAucSBK5MJ7JoQOC_u+AC3=nrc5zLZQOLzcjWnP+85yFQ@mail.gmail.com> <aUPByiltcfMSMRx5@localhost> <[🔎] CAOU6tADegL8Vz+kgiQBbUCfgOZTYcBOui7V_bOQOeFU_tymPSw@mail.gmail.com> <[🔎] 26971.60902.83029.732934@chiark.greenend.org.uk> <[🔎] CAOU6tADQA0WyvLRptqoroWZDVS156kRPVwAHow-=mAgSdO5mUw@mail.gmail.com> <[🔎] 87344jc2t8.fsf@rath.org> <[🔎] CAOU6tAAzTdbAy7LRSsDSJ-6+VZwyvsuk=pnbxKKALX4OMCrTOQ@mail.gmail.com> <[🔎] 26972.60446.317044.265114@chiark.greenend.org.uk> <[🔎] aV4jaGhk8ZnjK3cq@grub.nussbaum.fr> <[🔎] 26974.16203.103973.923192@chiark.greenend.org.uk>

Ian Jackson <ijackson@chiark.greenend.org.uk> writes:

> Lucas Nussbaum writes ("Re: Include git commit id and git tree id in *.changes files when uploading? [and 1 more messages]"):
>> But it has something to do with upstream git commits. If
>> - upstream tarballs are generated to include the git commit used (as
>>   with git-archive)
>> - and the tarball is not rewritten by uscan
>> - and pristine-tar is used
>> Then the git commit used by upstream to generate the tarball is
>> preserved in Debian's upstream (orig) tarball.
> ...
>> (as a tar pax header).
>
> Interesting.  TIL that this is even possible!
>
> I think tag2upload-(re)generated origs (even without pristine-tar
> support) have the same property.  They are generated with git-archive
> and the manpage suggests it includes this information unconditionally.
>
> I picked a recent tag2upload -1 upload, emacs-llama 1.0.3-1.  The
> build log (sent to the debian-tag2upload list [0]) contains this:
>
>     # no orig(s) in archive, generating
>     + git deborig 2a89ba755b0459914a44b1ffa793e57f759a5b85
>     # created orig
>
> It generated this tarball:
>
>     db2efcb550a36160efc2799bc774478499ae685e40ecd709b434d65a7df894ed  emacs-llama_1.0.3.orig.tar.xz
>
> And I see this:
>
>     xzcat emacs-llama_1.0.3.orig.tar.xz   | git-get-tar-commit-id
>     2a89ba755b0459914a44b1ffa793e57f759a5b85

That would only match upstream commit if 'emacs-llama' pin the
tag2upload upstream git commit to the actual upstream git commit, right?

Which it does for this package:

jas@frallan:~/dpkg/emacs-llama$ git tag -v debian/1.0.3-1 
...
[dgit please-upload source=emacs-llama version=1.0.3-1 upstream-tag=v1.0.3 upstream=2a89ba755b0459914a44b1ffa793e57f759a5b85]
...
jas@frallan:~/dpkg/emacs-llama$ git log -p -1 origin/upstream/latest 
commit 2a89ba755b0459914a44b1ffa793e57f759a5b85 (tag: v1.0.3, origin/upstream/latest)
...

However, I think for many packages, that is not what is happening,
because the tag2upload upstream git commit will be the 'upstream/1.2.3'
tag that is created by 'gbp import-orig'.  Which is Debian-specific and
has only a weak SHA1-collision-vulnerable relationship to the upstream
git commit.  So the auditability chain to upstream git is weak.

This leads to me to believe that it would be better to use 'git-debpush
--upstream-tag=v1.2.3' instead of 'git-debpush
--upstream-tag=upstream/1.2.3', right?

I've been mixing those two styles in my uploads, to experiment with the
effect, and pending any recommendations on this.  I haven't seen any
noticiable difference between these two styles, and mix between them
somewhat randomly to gain experience.

Is there any advantage to using --upstream-tag=upstream/1.2.3?

I thought that the 'git-deborig' design somehow prefered upstream/1.2.3
tag but that could be my mistake (my intuition for all of this is still
in training mode and often wrong, it seems).

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Include git commit id and git tree id in *.changes files when uploading? [and 1 more messages]
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Re: Include git commit id and git tree id in *.changes files when uploading?
  - From: Otto Kekäläinen <otto@debian.org>
- Re: Include git commit id and git tree id in *.changes files when uploading?
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Include git commit id and git tree id in *.changes files when uploading?
  - From: Otto Kekäläinen <otto@debian.org>
- Re: Include git commit id and git tree id in *.changes files when uploading?
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Include git commit id and git tree id in *.changes files when uploading?
  - From: Otto Kekäläinen <otto@debian.org>
- Re: Include git commit id and git tree id in *.changes files when uploading? [and 1 more messages]
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Include git commit id and git tree id in *.changes files when uploading? [and 1 more messages]
  - From: Lucas Nussbaum <lucas@debian.org>
- Re: Include git commit id and git tree id in *.changes files when uploading? [and 1 more messages]
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Re: Include git commit id and git tree id in *.changes files when uploading? [and 2 more messages]
Next by Date: Re: Include git commit id and git tree id in *.changes files when uploading? [and 1 more messages]
Previous by thread: Re: Include git commit id and git tree id in *.changes files when uploading? [and 1 more messages]
Next by thread: Re: Include git commit id and git tree id in *.changes files when uploading? [and 1 more messages]
Index(es):
- Date
- Thread