Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.devel > #114382

Re: Simpler git workflow for packaging with upstreamless repositories

From Simon Josefsson <simon@josefsson.org>
Newsgroups linux.debian.devel
Subject Re: Simpler git workflow for packaging with upstreamless repositories
Date 2024-11-28 10:40 +0100
Message-ID <JNJa9-cbOY-3@gated-at.bofh.it> (permalink)
References (5 earlier) <JN1st-bJL7-9@gated-at.bofh.it> <JN2ox-bKl7-3@gated-at.bofh.it> <JN2Rz-bKL0-3@gated-at.bofh.it> <JN5FM-bMw7-13@gated-at.bofh.it> <JNHL3-cb1Q-7@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

"Theodore Ts'o" <tytso@mit.edu> writes:

> On Tue, Nov 26, 2024 at 04:27:37PM +0100, Simon Josefsson wrote:
>> I have never understood what value there is in duplicating the uploaded
>> tarball in the git repository.
>
> The actual cost of storing the pristine tarball is quite small.

I think this is a good example of us talking past each other in this
thread: some people question the value of pristine in the first place
(and I've been compelled by those arguments), and some people argue that
the cost is small and there are no bugs (or at least lack of bug
reports).

> For example:
>
> commit 91c7ab39337da63371b4814bef2b2aaf85a9e37c (origin/pristine-tar, pristine-tar)
> Author: Theodore Ts'o <tytso@mit.edu>
> Date:   Mon May 20 23:12:54 2024 -0400
>
>     pristine-tar data for e2fsprogs_1.47.1.orig.tar.gz
>
>  e2fsprogs_1.47.1.orig.tar.gz.asc   |  11 +++++++++++
>  e2fsprogs_1.47.1.orig.tar.gz.delta | Bin 0 -> 63961 bytes
>  e2fsprogs_1.47.1.orig.tar.gz.id    |   1 +
>  3 files changed, 12 insertions(+)
>
> Compare if I had to keep all of the old release tarballs around:
>
>     9.5M e2fsprogs-1.47.1.tar.gz
>
> The reason why I find pristine-tar *super* valuable is because it
> stashes the signed tarball and tarball in a highly efficient way, and
> which can be easily backed up by just doing a "git push" to github /
> git.kernel.org / salsa.  I can then just kick off a git-buildpackage
> in a super-convenient way, so the tooling is quite mature and
> convenient for development velocity.
>
> I could imagine an alternate way of generating data for
> git-buildpackage, by replacing the pristine with something that stores
> the detached GPG signature, and then a shell script which generates
> the orig.tar.gz, for example at [1].  But now we'd have third-party
> users who want to rebuild the debian packages from source executing an
> arbitrary shell script found in the git repository to generate the
> orig.tar.gz file, which would be a security nightmare.  Pristine-tar
> is a much better from that perspective.
>
> [1] https://github.com/tytso/e2fsprogs/blob/master/util/gen-git-tarball

Yeah, this is nice, but I appear to have all of that with
git-pbuildpackage, uscan, origtargz etc downloading the upstream tarball
automatically already today.

If we are worried about malicious upstreams replacing tarballs, or
man-in-the-middle attacks, I think my debian/upstream/*SUMS approach is
a more effective solution to that problem.  Pristine-tar seems like a
tool-centric solution that isn't used elsewhere in the FOSS ecosystem.
Hash checksums are widely used to solve the security concerns, and
people know about those concepts even without learning anything about
Debian let alone git-buildpackage or pristine-tar.

If we are worried about upstreams going away so the tarball URLs doesn't
work, I like the Guix approach to 1) store hash checksums and 2) a
mirror system that fall back to the Software Heritage.  That also uses
known established concepts (SHA256 hashes + URL list) to solve the
problem, without having to learn git-buildpackage or pristine-tar.

/Simon

Back to linux.debian.devel | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Simpler git workflow for packaging with upstreamless repositories Kari Pahula <kaol@debian.org> - 2024-11-18 16:50 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Soren Stoutner <soren@debian.org> - 2024-11-18 17:20 +0100
    Re: Simpler git workflow for packaging with upstreamless repositories Holger Levsen <holger@layer-acht.org> - 2024-11-19 16:30 +0100
      Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-21 05:20 +0100
        Re: Simpler git workflow for packaging with upstreamless repositories Holger Levsen <holger@layer-acht.org> - 2024-11-21 12:30 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-21 14:40 +0100
            Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-22 03:20 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-21 18:10 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-22 03:00 +0100
            Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-22 12:40 +0100
              Re: Simpler git workflow for packaging with upstreamless  repositories "Jonathan Dowland" <jmtd@debian.org> - 2024-11-26 10:00 +0100
        Re: Simpler git workflow for packaging with upstreamless repositories Soren Stoutner <soren@debian.org> - 2024-11-22 01:20 +0100
        Re: Simpler git workflow for packaging with upstreamless  repositories "Jonathan Dowland" <jmtd@debian.org> - 2024-11-26 10:00 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-26 12:00 +0100
            Re: Simpler git workflow for packaging with upstreamless  repositories "Jonathan Dowland" <jmtd@debian.org> - 2024-11-26 13:00 +0100
              Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-26 13:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-26 16:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-26 17:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Holger Levsen <holger@layer-acht.org> - 2024-11-26 18:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Mechtilde Stehmann <mechtilde@debian.org> - 2024-11-26 19:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-26 19:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-12-03 03:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-12-03 09:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-26 19:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-26 19:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-26 21:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Colin Watson <cjwatson@debian.org> - 2024-11-26 21:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-26 21:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Colin Watson <cjwatson@debian.org> - 2024-11-26 23:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-27 10:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories gregor herrmann <gregoa@debian.org> - 2024-11-27 11:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-27 11:20 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Marco d'Itri <md@Linux.IT> - 2024-11-28 09:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-28 10:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories gregor herrmann <gregoa@debian.org> - 2024-11-28 10:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-28 11:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories gregor herrmann <gregoa@debian.org> - 2024-11-28 12:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-28 13:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Marc Haber <mh+debian-devel@zugschlus.de> - 2024-11-27 13:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-27 13:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Marc Haber <mh+debian-devel@zugschlus.de> - 2024-11-27 13:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-27 13:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Marc Haber <mh+debian-devel@zugschlus.de> - 2024-11-27 14:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-27 14:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-12-03 03:50 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories "Andrea Pappacoda" <tachi@debian.org> - 2024-12-07 14:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-12-07 18:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Holger Levsen <holger@layer-acht.org> - 2024-12-07 19:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-12-10 00:10 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories "Jonathan Dowland" <jmtd@debian.org> - 2024-12-09 22:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-27 05:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Aaron Rainbolt <arraybolt3@gmail.com> - 2024-11-27 06:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-27 13:20 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories "Jonathan Dowland" <jmtd@debian.org> - 2024-12-02 13:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories "Theodore Ts'o" <tytso@mit.edu> - 2024-11-28 09:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-28 10:40 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories Pirate Praveen <praveen@onenetbeyond.org> - 2024-11-28 11:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Paul Gevers <elbrus@debian.org> - 2024-11-28 13:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Pirate Praveen <praveen@onenetbeyond.org> - 2024-11-28 13:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Pirate Praveen <praveen@onenetbeyond.org> - 2024-11-28 13:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-28 13:20 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories Pirate Praveen <praveen@onenetbeyond.org> - 2024-11-28 15:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-28 15:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-29 03:20 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-11-29 08:00 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories Pirate Praveen <praveen@onenetbeyond.org> - 2024-11-29 13:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories sre4ever@free.fr - 2024-11-29 13:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Jonas Smedegaard <jonas@jones.dk> - 2024-11-29 15:20 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories sre4ever@free.fr - 2024-11-29 17:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Jonas Smedegaard <jonas@jones.dk> - 2024-11-29 18:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories sre4ever@free.fr - 2024-11-29 19:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-28 13:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories "Theodore Ts'o" <tytso@mit.edu> - 2024-11-28 21:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-29 11:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories sre4ever@free.fr - 2024-11-29 17:20 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-12-03 03:50 +0100
              Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-26 14:50 +0100
              Re: Simpler git workflow for packaging with upstreamless repositories Marco d'Itri <md@Linux.IT> - 2024-11-26 23:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Johannes Schauer Marin Rodrigues <josch@debian.org> - 2024-11-27 05:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Marco d'Itri <md@linux.it> - 2024-11-27 09:00 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Peter Pentchev <roam@ringlet.net> - 2024-11-18 17:30 +0100
    Re: Simpler git workflow for packaging with upstreamless repositories Kari Pahula <kaol@debian.org> - 2024-11-18 19:20 +0100
      Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-18 19:40 +0100
      Re: Simpler git workflow for packaging with upstreamless repositories Blair Noctis <ncts@debian.org> - 2024-11-22 07:50 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-18 19:20 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-19 07:40 +0100
    Re: Simpler git workflow for packaging with upstreamless repositories Johannes Schauer Marin Rodrigues <josch@debian.org> - 2024-11-22 00:40 +0100
      Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-22 12:30 +0100
        Re: Simpler git workflow for packaging with upstreamless repositories Johannes Schauer Marin Rodrigues <josch@debian.org> - 2024-11-22 12:50 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-22 13:10 +0100
            Re: Simpler git workflow for packaging with upstreamless repositories Johannes Schauer Marin Rodrigues <josch@debian.org> - 2024-11-22 13:30 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories sre4ever@free.fr - 2024-11-27 09:20 +0100
            Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-27 10:00 +0100
      Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-23 00:20 +0100
        Re: Simpler git workflow for packaging with upstreamless repositories Johannes Schauer Marin Rodrigues <josch@debian.org> - 2024-11-23 07:40 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-11-21 03:30 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Stefano Rivera <stefanor@debian.org> - 2024-11-21 15:20 +0100

csiph-web