Otto Kekäläinen writes ("Bug#1127616: developers-reference: should document
using git-debpush to upload"):
> The tag2upload service is tightly coupled with dgit, and while dgit by
> design will never support pristine-tar type of ability to reproduce
> upstream tarballs bit-for-bit,
This is a bizarre assertion. dgit supports "pristine"[1] orig
tarballs just fine. Since it doesn't get involved in orig tarball
generation at all, it supports whatever method you like.
[1] Note that the word "pristine" here is *sarcasm* on the part of the
author of the coinage!
> it should at least have the actual
> upstream signed tags instead (from upstreams that publish them).
#1110269 is that the upstream signed tags aren't on dgit-repos, but
only on Salsa. I don't think this is a serious problem. It certainly
should not be any kind of blocker for adoption. By their nature, git
objects get spread about promiscuously. We're quite unlikely to lose
those tag objects.
> There were already suggestions on debian-devel@ that maintainers
> should use dgit push for the initial -1 upload and git debpush for the
> -1+N uploads. That is obviously overly complex and shows that this is
> not ready to be recommended to newbies in the developers reference.
One can of course just use dgit push for everything.
> ... I think a lot of people want to stop doing uploads via ftp/ssh
> and use git tags instead, but tag2upload / git debpush has design
> decisions which breaks traditional software provenance assumptions
> in Debian, such as being able to check bit-for-bit that the tarball
> was actually the same as from upstream, or store and check upstream
> signatures.
This obsessiom with tarballs is 20 years out of date. It may be
Debian's traditional approach, but it's fundamentally broken.
It's not just the xz attack that demonstrates the problem. To give
another example, treating intermediate build products - tarballs - as
source code might easily have resulted in us shipping a mystery meat
amd64 executable as part of our Rust serde package. In general, we
end up doing all manner of weirdnesses and workarounds for the
non-source stuff that's in tarballs. The practice you are advocating
applies the difference from git to to the tarball contents as an
in-practice unreviewable.
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
