[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tag2upload: extending discussion; committing new reqs to git



Hello,

On Wed 03 Jul 2024 at 10:23pm +02, Joerg Jaspert wrote:

> For uploads not including the full source the already existing source
> tarball present in the archive.
>
> Or something similar. That is, just a bit more focus on the point that
> this is for "following" uploads.

Thanks for the feedback on this.  Here is a revised diff.

-- >8 --
Subject: [PATCH] Record tag2upload changes agreed with ftpmaster

The ftpmaster delegates agree that the design changes introduced by this
commit satisfy their requirements stated in
    <https://lists.debian.org/debian-vote/2024/06/msg00602.html>.

They intend to configure dak to accept and trust uploads coming from the
tag2upload service on the basis of us implementing these changes.

Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 TAG2UPLOAD-DESIGN.txt | 56 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/TAG2UPLOAD-DESIGN.txt b/TAG2UPLOAD-DESIGN.txt
index 6dbfaec4..a6fdf199 100644
--- a/TAG2UPLOAD-DESIGN.txt
+++ b/TAG2UPLOAD-DESIGN.txt
@@ -138,7 +138,8 @@ Not exposed via the git protocol, not even as a client.
 
  * Runs dgit rpush, specifying the package, version and
    target suite on the command line.  Target host is the Builder.
-   (We use the existing dgit rpush signing oracle protocol.)
+   (We use the existing dgit rpush signing oracle protocol, except extended
+   to include the new SOURCE_VERSION.git.tar.xz described below.)
 
  * Sends an email saying what it did.
 
@@ -231,6 +232,59 @@ binary build reproduction), or a suitable script, which can verify a
 reproduction attempt.  For now the src:dgit test suite will check that
 the upload is reproducible if run again in the same environment.
 
+SOURCE_VERSION.git.tar.xz
+=========================
+
+The .changes will also contain a file SOURCE_VERSION.git.tar.xz which is
+a compressed git repository with the following properties:
+
+ * It has the ref debian/VERSION, the maintainer's signed tag.
+ * It is sufficient on its own to (re)produce the canonical git view.
+   It is jointly sufficient, together with the orig.tar, to (re)produce
+   the source package.
+   (When the upload including the .git.tar.xz does not contain the
+   full source, this means the orig.tar that's already in the archive.)
+ * These reproductions are up to equality of file names and contents
+   -- timestamps of files may differ.
+ * It is usually shallow, for performance and storage space reasons.
+ * It may be a bare repository; or, it might be that no branch is
+   checked out.
+
+This .git.tar.xz is for the purpose of third-party auditing of what
+tag2upload did.  There will be a Python script in dgit.git, called
+mini-git-tag-fsck, which will take the .git.tar.xz as input, and produce
+two forms of auditing output:
+
+ * It extracts the maintainer's signed tag and deconstructs it into two
+   files, the tag text, and the detached signature.
+ * It prints to standard output a list of all files in the tagged
+   commit, with their git checksums (their object IDs).
+   It does this by walking the Merkle tree whose head is the
+   debian/VERSION signed tag object, re-checksumming as it goes.
+
+mini-git-tag-fsck has the following other properties:
+
+ * It does not verify the signature on the tag.
+   That is left to the caller.
+ * Given that the signature on the tag *is* valid, then all of the
+   script's own output is (transitively, via SHA1CD hashing) covered by
+   that signature, and so the output faithfully represents the intent of
+   the person who signed the tag.
+
+ * It does not invoke git, or anything from libgit2, or any other
+   external code of comparable complexity.
+ * It is designed to process only tag2upload's .git.tar.xz repositories;
+   it cannot process arbitrary git repositories.
+
+   Although the .git.tar.xz contains a bona fide git repository,
+   special arrangements are made regarding packfiles versus loose
+   objects to facilitate mini-git-tag-fsck's being able to process it
+   without invoking git/libgit2/etc..
+
+mini-git-tag-fsck will also have a mode to generate the .git.tar.xz.
+This will be invoked by the tag2upload service as part of preparing the
+upload.  (This mode will need to call out to git/libgit2/etc..)
+
 Emails
 ------
-- 
Sean Whitton


Reply to: