Re: Bug#39299: PROPOSAL] permit/require use of bz2 for source packages
On Fri, 11 Jun 1999, J.H.M. Dassen wrote:
> On Thu, Jun 10, 1999 at 23:26:32 -0500, Manoj Srivastava wrote:
> > >>"Chris" == Chris Lawrence <cnlawren@olemiss.edu> writes:
> > Chris> (gunzip upstream.orig.tar.gz; bzip2 upstream.orig.tar)
> >
> > What idf detatched signatures matter to me? Or signed md5sums
> > from the author?
>
> These are valid concerns, but not for all source packages. In many cases, an
> upstream author doesn't provide signatures; in those cases, I'd consider
> recompressing reasonable.
When talking with Manoj I suggested the following definition of pristine
source:
---
Pristine Upstream Source is any work that can be proved via cryptography
that it is the original unchanged version as created by the original
author. In the absence of author provided digital signatures it is what
the Debian Maintiainer belives to be the author's original unpacked work.
All original files must be included unchanged, no files/directories may be
renamed or modified.
---
I think this sort of a definition gives us lots of flexability in what
that original source archvie should be. Here are some detailed examples:
- If the author provides a signature for a compressed archive (.tar.gz)
containing the work then that archive must be used verbatim without
recompressing
- If the author provides a signature for the uncompressed archive (.tar)
then the compression method can be selected by the packager, the
maximum available compression (bzip2 -9) is recommended
- If the author provides a signed MANIFEST file then the pritine
source must contain all files listed with the listed signatures with
no additions (unless the author included extra files). The archive
should then be converted to the current Debian Standard with maximum
compression (.tar.bzip2 or maybe .jar.bzip2 since java likes those
MANIFEST files?)
- If there is no available digital signature and the work is packed in
an archive format that stores meta-information (OS/2 EAs, Mac
Resource forks, etc) then the archive encoding of the work must not
be changed by the packager, but if possible it should be converted
to maximum compression.
- If there is no available digital signature for the source code then
pristine upstream source is defined as any directory tree that has
the same MANIFEST as what the original author distributed. (This
means the unpacked work is content identical to the original
distributon). The directory tree should be repacked into the current
Debian Standard with maximum compression (.tar.bzip2)
[MANIFEST is a file similar to this output:
md5sum `find -type f` | gpg --clear-sign
]
I think this is a much less wishy washy definition than what we have seem
to have now, it is more precise and tells us exactly when original source
archives can be transformed and what limits we need to place on those
transformations. The focus is on preserving the 'pristine' directory tree
and contents of the unpacked source and wherever possible using a digital
signature to verify it and permitting a wide range of possible signing
types. The driving belief is that there isn't much reason to keep source
archives (as opposed to unpacked source directory trees) byte-for-byte
identical to the upstream unless there is a cryptographic proof of that
available.
To implement a proposal like this we need to do a number of things, first
off we need to include the original upstream authors digital signature in
the upload (maybe a .sig.bz2 file?) so that we have available tracability.
Secondly we need dpkg-source and all other related friends to have a
pluggable source archive mechanism. I can see the need to support at least
.tar.gz, .tar.bz2 and .jar (.jar.gz and .jar.bz2) and .zip in the future.
Jason
Reply to: