Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > linux.debian.devel > #114393

Re: Upstream tarball hashes: debian/upstream/*SUMS

From Simon Josefsson <simon@josefsson.org>
Newsgroups linux.debian.devel
Subject Re: Upstream tarball hashes: debian/upstream/*SUMS
Date 2024-11-28 13:00 +0100
Message-ID <JNLlD-cd5b-3@gated-at.bofh.it> (permalink)
References <JNHL3-cb1Q-15@gated-at.bofh.it> <JNLlD-cd5b-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Alec Leamas <leamas.alec@gmail.com> writes:

> Hi,
>
> On 28/11/2024 09:01, Simon Josefsson wrote:
>> The checksums will be different when Debian
>> re-pack upstream's source tarball, but there is still value in recording
>> the upstream tarball used as a basis for creating the Debian source
>> tarball
>
> Personally, the few packages I maintain are mostly repacked. Isn't
> there also value in storing the hash of the repacked tarball, the
> thing actually used?

Absolutely, and that was my intention but I can see how it can be read
otherwise -- how about the version below?

/Simon

Source tarball checksums: debian/upstream/*SUMS
===============================================

Checksum files are organized on a per-hash filename basis.

SHA256 checksums are put in a file debian/upstream/SHA256SUMS.

The file MUST contain checksums of the intended *.orig.tar.* archives.
The filenames within the *SUMS file should be the same *.orig.tar.*
filename that will be uploaded into the Debian archive.

Files MUST be parseable by the 2024-era interface of Coreutils checksum
tools such as 'sha256sum -c'.

New checksum values are added for each new upstream release.

Multiple source tarballs is supported, if the Debian package is making
use of that feature.

A checksum of upstream's tarball name MUST also be included, as it is
retrieved by debian/watch.  This normally results in the same checksum
value as for the *.orig.tar.* file.  Having both checksum lines helps to
establish a cryptographic connection from Debian's tarball name to
upstream's tarball name.  The checksums will be different when Debian
re-pack upstream's source tarball, but there is still value in recording
the upstream tarball used as a basis for creating the Debian source
tarball.

Native Debian packages are not supported, as they don't have a
reasonable external upstream that can be checksum'ed.

Adding support for new algorithms is simple, just add a new file.

For backwards compatibility with old tools used in the future, and to
establish a known least-supported base-line, the
debian/upstream/SHA266SUMS file MUST exist if any debian/upstream/*SUMS
files are present, and MUST contain all relevant checksums.

There MAY be checksums of auxilliary files -- such as PGP *.asc or *.gpg
signatures, Sigsum *.proof files, CMS/PKCS7 signatures, Sigstore cosign
artifacts, etc.

Comments are supported by beginning each line with a # character,
optionally preceed by whitespace.

Back to linux.debian.devel | Previous | NextPrevious in thread | Find similar

Thread

Upstream tarball hashes: debian/upstream/*SUMS Simon Josefsson <simon@josefsson.org> - 2024-11-28 09:10 +0100
  Re: Upstream tarball hashes: debian/upstream/*SUMS Jonas Smedegaard <jonas@jones.dk> - 2024-11-28 11:50 +0100
  Re: Upstream tarball hashes: debian/upstream/*SUMS sre4ever@free.fr - 2024-11-28 12:50 +0100
  Re: Upstream tarball hashes: debian/upstream/*SUMS Simon Josefsson <simon@josefsson.org> - 2024-11-28 13:00 +0100

csiph-web