Re: [RFC] General Resolution to deploy tag2upload

To: Marco d'Itri <md@Linux.IT>
Cc: debian-vote@lists.debian.org
Subject: Re: [RFC] General Resolution to deploy tag2upload
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sun, 23 Jun 2024 14:09:21 +0100
Message-id: <[🔎] 26232.7809.22226.887133@chiark.greenend.org.uk>
In-reply-to: <[🔎] v573f6$12ot3$1@posted-at.bofh.it>
References: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com> <[🔎] 8734p9enbh.fsf@hope.eyrie.org> <[🔎] 412e0fec73454e906b9e39696d46c4aee3fede5a.camel@43-1.org> <[🔎] 87wmmlq9e8.fsf@hope.eyrie.org> <[🔎] c40d8ef0596eebc89e570e17b111a433a3b3c143.camel@43-1.org> <[🔎] 87msnhq6vc.fsf@hope.eyrie.org> <[🔎] 0f757eb171265caabd5d5ca0f17af8c8b5521db2.camel@43-1.org> <[🔎] 87jzij75uy.fsf@hope.eyrie.org> <[🔎] 673f28b3926a77dbcc06a93de85b00f3b1eeb63b.camel@43-1.org> <[🔎] 87a5jemi0a.fsf@hope.eyrie.org> <[🔎] 17d2d505826b570eeca1ff6aeeeb68e358eb5959.camel@43-1.org> <[🔎] 87h6dml0se.fsf@hope.eyrie.org> <[🔎] 8d5ebfed5af86ad3374f30dfa06807a1d7d6a2f7.camel@43-1.org> <[🔎] 877ceikucu.fsf@hope.eyrie.org> <[🔎] 26230.49415.183911.194904@chiark.greenend.org.uk> <[🔎] v573f6$12ot3$1@posted-at.bofh.it>

Marco d'Itri writes ("Re: [RFC] General Resolution to deploy tag2upload"):
> ijackson@chiark.greenend.org.uk wrote:
> > In this message I discuss in some detail five packaging workflows.
>
> I am more familiar with the gbp patches-unapplied workflow: can you
> point us to some educationlly relevant example repositories using the
> git-debrebase workflows?
> (Maybe without dgit, to make things easier to understand.)

Russ can perhaps provide more examples, but src:xen is a complex one.
  https://salsa.debian.org/xen-team/debian-xen/

I doubt anyone is using git-debrebase but not dgit.  There would be no
reason to do that.  dgit push just makes things better, compared to
the old dput-based approach.

(xen security uploads aren't done with dgit because security.d.o
doesn't support dgit, #1050143, but you won't see anything about that
in git, really.)

> >The alternative design I've been positing supposes including a
> >manifest of the contents of the unpacked source package.  Ie, patches
> >applied.
>
> But why does it have to be patches-applied?
> Then both sides could easily (?) compute a canonical hash of the
> patches-unapplied git repositories, and it would still provide the same
> security properties.

This is a reasonable question, especially since the ftpmasters haven't
really nailed down what precisely this manifest would be, so I had to
make it up myself.  So:

I chose patches-applied as the comparator in my big writeup because
patches-unapplied is even worse.

If the manifest form is patches-unapplied, then all the
patches-applied git workflows would have to *unapply* the patches to
generate the manifest.  That means *more* patch-wrangling, in more
cases.  The NMU case becomes particularly bad, because in the general
case only dpkg-source knows how to apply patches; and even then I
think it doesn't know how to *un*apply them; and, it wants a tarball.

Also, it would mean that the same manifest could mean different
unpacked trees depending on the source package format, which is super
weird and confusing.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

Reply to:

References:
- [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Ansgar 🙀 <ansgar@43-1.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Ansgar 🙀 <ansgar@43-1.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Ansgar 🙀 <ansgar@43-1.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Ansgar 🙀 <ansgar@43-1.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Ansgar 🙀 <ansgar@43-1.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Ansgar 🙀 <ansgar@43-1.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Marco d'Itri <md@Linux.IT>

Prev by Date: Re: Summary of the current state of the tag2upload discussion
Next by Date: Re: Summary of the current state of the tag2upload discussion
Previous by thread: Re: [RFC] General Resolution to deploy tag2upload
Next by thread: Re: [RFC] General Resolution to deploy tag2upload
Index(es):
- Date
- Thread