Re: tag2upload: extending discussion; committing new reqs to git
Hello,
Joerg, here is the hopefully-final version.
If you are happy with it then I will add
"Acked-by: Joerg Jaspert <joerg@debian.org>"
and then I will commit it, and send a message withdrawing my GR.
(Please say explicitly if you don't want me to use Acked-by like this,
but we generally use these kernel-style trailers in dgit.git.)
Thanks.
-- >8 --
Subject: [PATCH] Record tag2upload changes agreed with ftpmaster
The ftpmaster delegates agree that the design changes introduced by this
commit satisfy their requirements stated in
<https://lists.debian.org/debian-vote/2024/06/msg00602.html>.
They intend to configure dak to accept and trust uploads coming from the
tag2upload service on the basis of us implementing these changes.
Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
TAG2UPLOAD-DESIGN.txt | 54 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 53 insertions(+), 1 deletion(-)
diff --git a/TAG2UPLOAD-DESIGN.txt b/TAG2UPLOAD-DESIGN.txt
index 6dbfaec4..a985e580 100644
--- a/TAG2UPLOAD-DESIGN.txt
+++ b/TAG2UPLOAD-DESIGN.txt
@@ -138,7 +138,8 @@ Not exposed via the git protocol, not even as a client.
* Runs dgit rpush, specifying the package, version and
target suite on the command line. Target host is the Builder.
- (We use the existing dgit rpush signing oracle protocol.)
+ (We use the existing dgit rpush signing oracle protocol, except extended
+ to include the new SOURCE_VERSION.git.tar.xz described below.)
* Sends an email saying what it did.
@@ -231,6 +232,57 @@ binary build reproduction), or a suitable script, which can verify a
reproduction attempt. For now the src:dgit test suite will check that
the upload is reproducible if run again in the same environment.
+SOURCE_VERSION.git.tar.gz
+=========================
+
+The .changes will also contain a file SOURCE_VERSION.git.tar.xz which is
+a compressed git repository with the following properties:
+
+ * It has the ref debian/VERSION, the maintainer's signed tag.
+ * It is sufficient on its own to (re)produce the canonical git view.
+ It is jointly sufficient, together with the orig.tar, to (re)produce
+ the source package.
+ * These reproductions are up to equality of file names and contents
+ -- timestamps of files may differ.
+ * It is usually shallow, for performance and storage space reasons.
+ * It may be a bare repository; or, it might be that no branch is
+ checked out.
+
+This .git.tar.xz is for the purpose of third-party auditing of what
+tag2upload did. There will be a Python script in dgit.git, called
+mini-git-tag-fsck, which will take the .git.tar.xz as input, and produce
+two forms of auditing output:
+
+ * It extracts the maintainer's signed tag and deconstructs it into two
+ files, the tag text, and the detached signature.
+ * It prints to standard output a list of all files in the tagged
+ commit, with their git checksums (their object IDs).
+ It does this by walking the Merkle tree whose head is the
+ debian/VERSION signed tag object, re-checksumming as it goes.
+
+mini-git-tag-fsck has the following other properties:
+
+ * It does not verify the signature on the tag.
+ That is left to the caller.
+ * Given that the signature on the tag *is* valid, then all of the
+ script's own output is (transitively, via SHA1CD hashing) covered by
+ that signature, and so the output faithfully represents the intent of
+ the person who signed the tag.
+
+ * It does not invoke git, or anything from libgit2, or any other
+ external code of comparable complexity.
+ * It is designed to process only tag2upload's .git.tar.xz repositories;
+ it cannot process arbitrary git repositories.
+
+ Although the .git.tar.xz is a bona fide git repository, special
+ arrangements are made regarding packfiles versus loose objects to
+ facilitate mini-git-tag-fsck's being able to process it without
+ invoking git/libgit2/etc..
+
+mini-git-tag-fsck will also have a mode to generate the .git.tar.xz.
+This will be invoked by the tag2upload service as part of preparing the
+upload. (This mode will need to call out to git/libgit2/etc..)
+
Emails
------
--
Sean Whitton
Reply to: