On 16/08/17 21:01, Daniel Kahn Gillmor wrote: > Hi Guillem-- > > On Thu 2017-08-17 01:05:46 +0200, Guillem Jover wrote: > > It seems to me like you are perhaps trying to reimplement dpkg source > > format «3.0 (git)» (described in man dpkg-source)? :) > > Thanks for that pointer, it does seem similar. > > I was hoping that we could produce an actual orig.tar.gz (so that the > rest of the tools could use it as they have traditionally) and then some > extra thing outside of the orig.tar.gz that, combined with the tarball, > could be used to recreate the .git/ repository well enough to be able to > (a) recreate the tarball, and (b) cryptographically verify the tag. > > this would solve my use case (being able to record and ship upstream's > cryptographic signatures, when upstream "releases" with signed tags) > without requiring the rest of the debian infrastructure to cope with git > bundles as "orig.tar.gz-equivalent" blobs. > > But if there's a plan for "3.0 (git)" to become acceptable in debian, > then it does seem like that might be the simplest way to move forward. > > i'll play around with git-bundle to try to understand it better. from a > scan of dpkg-source(1) and the various git manpages that i'm used to > reading, i don't understand what .gitshallow or .git/shallow are > supposed to do. Does it get shipped alongside the .git? does > .git/shallow have meaning for other tools that i should be aware of? > > --dkg
Hey all, one of pristine-tar maintainers here. Daniel's ideas made me think a lot about this stuff recently. I've just found https://github.com/cgwalters/git-evtag: it does not solve the problem at hand, but the idea of solving the problem "upstream", i.e., in git, seems reasonable to me. So let's assume that git-archive can produce a reproducible, uncompressed tarball, given a particular githash. Why not ask interested upstream developers to do something like that: git tag -s TAGNAME -m "$(git archive --format tar HEAD | sha512sum)" The tag proves: (1) the history in the git repository, as always (2) but also that a tar generated from this tag should have a particular sha512 hash You can see how this works end-to-end: if we want to take a particular git tag and release it in Debian, we just generate the tarball and extract the associated tag as a crypto-proof. Such tagging may be prohibitive for every commit, though, since it's rather expensive to compute (or not, I just run the above command in a fresh clone of linux kernel source and it took 9s with fs caches, and interestingly the same with caches dropped, weird). But it should be totally fine at least for "release tags". The cool thing is that it could be upstreamed in git, as a flag to git-tag, or at least provided as an extension, such as git-atag (aka git-archive-tag, you get the idea). What do you think? Tomasz
signature.asc
Description: PGP signature
