Groups | Search | Server Info | Login | Register

Groups > linux.debian.devel > #114416

Re: Simpler git workflow for packaging with upstreamless repositories

From Simon Josefsson <simon@josefsson.org>
Newsgroups linux.debian.devel
Subject Re: Simpler git workflow for packaging with upstreamless repositories
Date 2024-11-29 11:00 +0100
Message-ID <JO5X4-crey-5@gated-at.bofh.it> (permalink)
References (6 earlier) <JN2Rz-bKL0-3@gated-at.bofh.it> <JN5FM-bMw7-13@gated-at.bofh.it> <JNHL3-cb1Q-7@gated-at.bofh.it> <JNJa9-cbOY-3@gated-at.bofh.it> <JNTsR-cicF-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

"Theodore Ts'o" <tytso@mit.edu> writes:

> Perhaps we could avoid talking past we formally had a list of
> requirements, and then match possible alternative approachs with how
> well they meet the agreed-upon requirements, and which requirements
> proponents want to dispense with because (at least for them), It's
> Just Not Worth It?

Yes please!  I suspect one root problem here is that people have
different conflicting requirements, and everyone primarily relate to
their own situation.

I often work in offline mode too, but never had any problem with the
download tarball approach.  After 'git clone' (which require internet)
the first thing I normally do is to attempt a build, and
git-buildpackage download the *.orig.tar.* automatically for me.  Then I
leave the tarball around on my laptop and never think about it.  It is
rare for me to happen to have a git repository of a package around and
not have its corresponding tarballs too, but workflows differ.

>> If we are worried about malicious upstreams replacing tarballs, or
>> man-in-the-middle attacks, I think my debian/upstream/*SUMS approach is
>> a more effective solution to that problem.
>
> Maybe... if there were tools that made it super easy to validate the
> tarball against the *SUMS files without needing to unpack the tarball
> first?

I think 'sha256sum -c mypackage-git-repository/debian/source/SHA256SUM'
should work if you have the tarballs in the current directory.

> Possibly with an inline GPG signature so we don't have to have
> separate SHA256SUM and SHA256SUM.asc files?  For bonus points, maybe
> also a tool that validates a SHA256SUM file with a git commit id,
> again without needing to do a "git checkout" first?
>
> I will note that this approach would break backwads compatibility with
> existing Debian source packaging, right?  That is, you're proposing
> that the debian/usptream/*SUMS file would replace the
> *.orig.tar.gz.asc file?

I don't think that works: the nice thing with *.orig.tar.gz.asc is that
we get upstream's signature file into Debian, allowing users to follow
the audit trail back to upstream.

My primary motivation is to make it possible to record under debian/ the
intended (by the package maintainer) checksums of the *.orig.tar.* and
(when they are different) upstream tarballs.  We don't have any way to
record that in debian/ today, I think.  The only record of this is
indirectly with the maintainer signing the *.changes file during package
upload.  But that is weak (only successfully uploaded packages are
protected, not work-in-progress) and not widely audited (*.changes files
aren't stored forever, or are they?).

/Simon

Back to linux.debian.devel | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Simpler git workflow for packaging with upstreamless repositories Kari Pahula <kaol@debian.org> - 2024-11-18 16:50 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Soren Stoutner <soren@debian.org> - 2024-11-18 17:20 +0100
    Re: Simpler git workflow for packaging with upstreamless repositories Holger Levsen <holger@layer-acht.org> - 2024-11-19 16:30 +0100
      Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-21 05:20 +0100
        Re: Simpler git workflow for packaging with upstreamless repositories Holger Levsen <holger@layer-acht.org> - 2024-11-21 12:30 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-21 14:40 +0100
            Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-22 03:20 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-21 18:10 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-22 03:00 +0100
            Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-22 12:40 +0100
              Re: Simpler git workflow for packaging with upstreamless  repositories "Jonathan Dowland" <jmtd@debian.org> - 2024-11-26 10:00 +0100
        Re: Simpler git workflow for packaging with upstreamless repositories Soren Stoutner <soren@debian.org> - 2024-11-22 01:20 +0100
        Re: Simpler git workflow for packaging with upstreamless  repositories "Jonathan Dowland" <jmtd@debian.org> - 2024-11-26 10:00 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-26 12:00 +0100
            Re: Simpler git workflow for packaging with upstreamless  repositories "Jonathan Dowland" <jmtd@debian.org> - 2024-11-26 13:00 +0100
              Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-26 13:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-26 16:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-26 17:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Holger Levsen <holger@layer-acht.org> - 2024-11-26 18:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Mechtilde Stehmann <mechtilde@debian.org> - 2024-11-26 19:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-26 19:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-12-03 03:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-12-03 09:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-26 19:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-26 19:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-26 21:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Colin Watson <cjwatson@debian.org> - 2024-11-26 21:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-26 21:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Colin Watson <cjwatson@debian.org> - 2024-11-26 23:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-27 10:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories gregor herrmann <gregoa@debian.org> - 2024-11-27 11:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-27 11:20 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Marco d'Itri <md@Linux.IT> - 2024-11-28 09:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-28 10:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories gregor herrmann <gregoa@debian.org> - 2024-11-28 10:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-28 11:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories gregor herrmann <gregoa@debian.org> - 2024-11-28 12:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-28 13:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Marc Haber <mh+debian-devel@zugschlus.de> - 2024-11-27 13:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-27 13:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Marc Haber <mh+debian-devel@zugschlus.de> - 2024-11-27 13:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-27 13:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Marc Haber <mh+debian-devel@zugschlus.de> - 2024-11-27 14:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-27 14:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-12-03 03:50 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories "Andrea Pappacoda" <tachi@debian.org> - 2024-12-07 14:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-12-07 18:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Holger Levsen <holger@layer-acht.org> - 2024-12-07 19:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-12-10 00:10 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories "Jonathan Dowland" <jmtd@debian.org> - 2024-12-09 22:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-27 05:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Aaron Rainbolt <arraybolt3@gmail.com> - 2024-11-27 06:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-27 13:20 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories "Jonathan Dowland" <jmtd@debian.org> - 2024-12-02 13:50 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories "Theodore Ts'o" <tytso@mit.edu> - 2024-11-28 09:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-28 10:40 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories Pirate Praveen <praveen@onenetbeyond.org> - 2024-11-28 11:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Paul Gevers <elbrus@debian.org> - 2024-11-28 13:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Pirate Praveen <praveen@onenetbeyond.org> - 2024-11-28 13:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Pirate Praveen <praveen@onenetbeyond.org> - 2024-11-28 13:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-28 13:20 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories Pirate Praveen <praveen@onenetbeyond.org> - 2024-11-28 15:10 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-28 15:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-29 03:20 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-11-29 08:00 +0100
                Re: Simpler git workflow for packaging with upstreamless  repositories Pirate Praveen <praveen@onenetbeyond.org> - 2024-11-29 13:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories sre4ever@free.fr - 2024-11-29 13:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Jonas Smedegaard <jonas@jones.dk> - 2024-11-29 15:20 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories sre4ever@free.fr - 2024-11-29 17:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Jonas Smedegaard <jonas@jones.dk> - 2024-11-29 18:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories sre4ever@free.fr - 2024-11-29 19:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Chris Hofstaedtler <zeha@debian.org> - 2024-11-28 13:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories "Theodore Ts'o" <tytso@mit.edu> - 2024-11-28 21:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-29 11:00 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories sre4ever@free.fr - 2024-11-29 17:20 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-12-03 03:50 +0100
              Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-26 14:50 +0100
              Re: Simpler git workflow for packaging with upstreamless repositories Marco d'Itri <md@Linux.IT> - 2024-11-26 23:40 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Johannes Schauer Marin Rodrigues <josch@debian.org> - 2024-11-27 05:30 +0100
                Re: Simpler git workflow for packaging with upstreamless repositories Marco d'Itri <md@linux.it> - 2024-11-27 09:00 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Peter Pentchev <roam@ringlet.net> - 2024-11-18 17:30 +0100
    Re: Simpler git workflow for packaging with upstreamless repositories Kari Pahula <kaol@debian.org> - 2024-11-18 19:20 +0100
      Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-18 19:40 +0100
      Re: Simpler git workflow for packaging with upstreamless repositories Blair Noctis <ncts@debian.org> - 2024-11-22 07:50 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Andrey Rakhmatullin <wrar@debian.org> - 2024-11-18 19:20 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-19 07:40 +0100
    Re: Simpler git workflow for packaging with upstreamless repositories Johannes Schauer Marin Rodrigues <josch@debian.org> - 2024-11-22 00:40 +0100
      Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-22 12:30 +0100
        Re: Simpler git workflow for packaging with upstreamless repositories Johannes Schauer Marin Rodrigues <josch@debian.org> - 2024-11-22 12:50 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories Simon Josefsson <simon@josefsson.org> - 2024-11-22 13:10 +0100
            Re: Simpler git workflow for packaging with upstreamless repositories Johannes Schauer Marin Rodrigues <josch@debian.org> - 2024-11-22 13:30 +0100
          Re: Simpler git workflow for packaging with upstreamless repositories sre4ever@free.fr - 2024-11-27 09:20 +0100
            Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-27 10:00 +0100
      Re: Simpler git workflow for packaging with upstreamless repositories Otto Kekäläinen <otto@debian.org> - 2024-11-23 00:20 +0100
        Re: Simpler git workflow for packaging with upstreamless repositories Johannes Schauer Marin Rodrigues <josch@debian.org> - 2024-11-23 07:40 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Sean Whitton <spwhitton@spwhitton.name> - 2024-11-21 03:30 +0100
  Re: Simpler git workflow for packaging with upstreamless repositories Stefano Rivera <stefanor@debian.org> - 2024-11-21 15:20 +0100

csiph-web