Simon Josefsson writes ("Re: Include git commit id and git tree id in *.changes
files when uploading? [and 1 more messages] [and 1 more messages]"):
> Ian Jackson <[email protected]> writes:
> > in a "friendly low-complexity upstream" case when 1) debian/gbp.conf has
> > upstream-vcs-tag and 2) debian/watch points to upstream git? Assume we
> > don't have to care about debian/copyright Files-Excluded and other
> > complexity that doesn't hold for >50% of packages.
>
> With those limitations, I don't think the attack you describe works. By
> having 'gbp import-orig' import verbatim pristine git from upstream, you
> avoid the hard-to-audit upstream tarball. Or can you describe how
> things would go wrong in that setup?
Thanks for the reply. I think I was probably wrong there:
I was going by what I saw in uscan(1)'s DESCRIPTION section, which
mentions only tarballs and doesn't talk about getting information from
the VCS. But now that I search it for "git" I see the `mode=git` option.
Based on what I read there I now think you are right and I was wrong,
assuming by "debian/watch points to upstream git" you mean using
"mode=git" in debian/watch. [1]
The description in uscan(1) says in this mode it will always *make* a
tarball. Specifically, it says it "packs the source tree" which I
assume means git-archive. (Does it in fact use git-archive? I think
we would want it to, to include the commitid metadata in the pax
header extension. I don't see any reason why it *wouldn't* use git
archive.) So yes that would avoid the hazard I'm talking about.
And then, my reading of gbp-import-orig(1) suggests that this will
indeed include the upstream history, as desired.
I note that the uscan(1) manpage discourages the use of mode=git.
That seems like bad advice to me.
So now ISTM that this combination of configuration would work fairly
well. But I haven't tried it out - I'm just going by the
documentation. I guess if you do this gbp import-orig will make a
null delta commit to represent the nonexistent diff between the
uscan-exported and gbp-reimported tarball tree, and upstream git. But
that's probably harmless.
I'm not sure why this is *better* than gbp import-ref, though?
That is, you could use uscan mode=git and gbp import-ref.
That would presumably omit the anomalous null delta import commit.
Regards,
Ian.
[1] As opposed to, say, putting the URL of a tarball at a git forge in
debian/watch, which some might also think of as "pointing it at git".
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
