Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.vote > #4514

Re: How is the original tarball obtained in tag2upload

From Russ Allbery <rra@debian.org>
Newsgroups linux.debian.vote
Subject Re: How is the original tarball obtained in tag2upload
Date 2024-06-14 23:40 +0200
Message-ID <IPmOm-2Y18-3@gated-at.bofh.it> (permalink)
References <IPcFj-2RQ9-3@gated-at.bofh.it> <IPdi1-2Sio-15@gated-at.bofh.it> <IPmEF-2XXX-3@gated-at.bofh.it>
Organization The Eyrie

Show all headers | View raw

Phil Morrell <debian@emorrp1.name> writes:

> It's been my impression [citation needed] that pristine-tar/lfs still
> exists mainly out of inertia and simple tooling around it that makes it
> more of a why not. If we're gaining a mostly git-native upload workflow
> out of this, I think it would be wise to second-guess if this support is
> even needed in tag2upload.

> You're already using the archive to obtain the orig.tar where available,
> which neuters one of pristine-tar's purposes: to get everything needed
> to build past releases from just a git clone [1]. New upstream versions
> *for likely users of tag2upload*, I believe the git-archive generated
> tarball would be a sufficient incidental artifact to be uploaded -
> making tag2upload the authoritative one-off source instead of
> (presumably) upstream's forge generator.

I also have questions about whether pristine-tar is a viable long-term
technical design.  We have to maintain a lot of changes in underlying
tools to make it work, and my understanding is that we've had failure
modes in the past where a tarball is reproducible with pristine-tar at the
time, but if you try to reproduce it five years later with the current set
of tools in unstable, that may fail.  The problem that it is trying to
solve is technically very difficult and also not prioritized by various
upstreams, which puts it on rather shaky ground.

If we want to continue supporting verbatim upstream tarballs as the basis
for Debian packaging (which I think we clearly do for at least some
packages), I think it would be better to think about how to introduce the
actual tarball as an artifact using git-lfs or some similar approach,
rather than attempt to reconstruct it from Git.  The tools simply don't
support doing the latter, and pristine-tar has to go to heroic efforts to
try to make this work.

This of course has all of the known problems with potentially malicious
upstream tarballs that differ from Git tags, but there are ways to detect
some of those problems while still basing the packaging on the actual
tarball as released.  And it would let us reuse the upstream signature on
the tarball, which is useful in some cases to provide a bit of additional
provenance and tracing.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Back to linux.debian.vote | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

How is the original tarball obtained in tag2upload Andreas Tille <andreas@an3as.eu> - 2024-06-14 12:50 +0200
  Re: How is the original tarball obtained in tag2upload Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-14 13:30 +0200
    Re: How is the original tarball obtained in tag2upload Simon McVittie <smcv@debian.org> - 2024-06-14 14:10 +0200
      Re: How is the original tarball obtained in tag2upload Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-14 15:50 +0200
    Re: How is the original tarball obtained in tag2upload Phil Morrell <debian@emorrp1.name> - 2024-06-14 23:30 +0200
      Re: How is the original tarball obtained in tag2upload Russ Allbery <rra@debian.org> - 2024-06-14 23:40 +0200
        Re: How is the original tarball obtained in tag2upload Antonio Terceiro <terceiro@debian.org> - 2024-06-17 14:10 +0200
      Re: How is the original tarball obtained in tag2upload Simon Josefsson <simon@josefsson.org> - 2024-06-15 09:10 +0200
        Re: How is the original tarball obtained in tag2upload Matthias Urlichs <matthias@urlichs.de> - 2024-06-16 23:00 +0200
          Re: How is the original tarball obtained in tag2upload Salvo Tomaselli <tiposchi@tiscali.it> - 2024-06-16 23:50 +0200
            Re: How is the original tarball obtained in tag2upload [and 1 more messages] Ian Jackson <ijackson@chiark.greenend.org.uk> - 2024-06-17 13:30 +0200
            Re: How is the original tarball obtained in tag2upload Sean Whitton <spwhitton@spwhitton.name> - 2024-06-20 07:50 +0200

csiph-web