Processed: Re: Bug#840523: debian-installer: undefined source format; .git/ may end up in source tarball

2016-10-21 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 wishlist
Bug #840523 [src:debian-installer] debian-installer: undefined source format; 
.git/ may end up in source tarball
Severity set to 'wishlist' from 'important'

-- 
840523: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840523
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#840523: debian-installer: undefined source format; .git/ may end up in source tarball

2016-10-21 Thread Steven Chamberlain 
Control: severity -1 wishlist

Cyril Brulebois wrote:
> debcheckout's output lets you know you're getting a git repository. I'm
> not sure running debuild -S without -i/-I makes this an important bug in
> debian-installer…

Ok, I see.  This is perhaps only a desirable feature, then, for anyone
who likes to work that way with Debian packages.

> I don't like the idea of unneeded boilerplate in source packages just
> because dpkg developers want to force v3 onto people so badly.

I see.

> In case someone wants to merge this, I would like to see this very
> carefully reviewed for possible side effects. Getting an error during
> the next release, or worse a regression only seen afterwards, would
> really be annoying.

Since I needed to make a new jessie-kfreebsd upload of debian-installer,
stripping the .git/ directory out of the source tarball, I can try out
this patch (3.0 native and .tar.xz) with that to begin with.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Bug#840523: debian-installer: undefined source format; .git/ may end up in source tarball

2016-10-17 Thread Cyril Brulebois 
Steven Chamberlain  (2016-10-12):
> Suppose a debian-installer source package is produced this way:
> 
> $ debcheckout debian-installer
> $ cd debian-installer
> $ debuild -S
> [...]
> dpkg-source: warning: no source format specified in debian/source/format, see 
> dpkg-source(1)
> dpkg-source: warning: source directory 'debian-installer' is not 
> - 'debian-installer-20160704'
> dpkg-source: info: using source format '1.0'
> dpkg-source: info: building debian-installer in 
> debian-installer_20160704.tar.gz
> dpkg-source: info: building debian-installer in debian-installer_20160704.dsc
> 
> In source format 1.0, dpkg-source does *not* exclude the .git/ directory
> from the generated tarball!  So if you built the source package that way,
> your Git working tree's refs and config are all included in the upload,
> which happened with my uploads here:
> http://ftp.debian.org/debian/pool/main/d/debian-installer/debian-installer_20150422+kbsd8u2.tar.gz
> http://ftp.debian.org/debian/pool/main/d/debian-installer/debian-installer_20150422+kbsd8u2+deb8u4.tar.gz

debcheckout's output lets you know you're getting a git repository. I'm
not sure running debuild -S without -i/-I makes this an important bug in
debian-installer…

> Note that source format 1.0 is only used because one is not specified in
> debian/source/format.  dpkg-source(1) recommends to specify a version and
> the lack of a debian/source/format file may be considered an error in
> future.

I don't like the idea of unneeded boilerplate in source packages just
because dpkg developers want to force v3 onto people so badly.

> dpkg-source(1) also recommends choosing a newer format.  3.0 (native)
> by default already excludes VCS directories such as .git/ from the
> generated tarball, already fixing the issue above.
> 
> 3.0 (native) does however default to .tar.xz compression, rather than
> .tar.gz as used at the moment.  I'm not sure if that may be an issue for
> other tools.  Maybe they should be fixed in that case.  Or _if_ it's
> preferred to still use .tar.gz, that could be specified in
> debian/source/options:
> compression = "gzip"

scripts/debian/byhand-di doesn't seem to look at something which isn't
the images tarball; I'm not sure whether something else might needed
being looked at.

> Attached is my proposed patch, for consideration.

In case someone wants to merge this, I would like to see this very
carefully reviewed for possible side effects. Getting an error during
the next release, or worse a regression only seen afterwards, would
really be annoying.


KiBi.


signature.asc
Description: Digital signature

Bug#840523: debian-installer: undefined source format; .git/ may end up in source tarball

2016-10-12 Thread Steven Chamberlain 
Package: src:debian-installer
Version: 20160704
Severity: important
Tags: patch

Hi!

Suppose a debian-installer source package is produced this way:

$ debcheckout debian-installer
$ cd debian-installer
$ debuild -S
[...]
dpkg-source: warning: no source format specified in debian/source/format, see 
dpkg-source(1)
dpkg-source: warning: source directory 'debian-installer' is not 
- 'debian-installer-20160704'
dpkg-source: info: using source format '1.0'
dpkg-source: info: building debian-installer in debian-installer_20160704.tar.gz
dpkg-source: info: building debian-installer in debian-installer_20160704.dsc

In source format 1.0, dpkg-source does *not* exclude the .git/ directory
from the generated tarball!  So if you built the source package that way,
your Git working tree's refs and config are all included in the upload,
which happened with my uploads here:
http://ftp.debian.org/debian/pool/main/d/debian-installer/debian-installer_20150422+kbsd8u2.tar.gz
http://ftp.debian.org/debian/pool/main/d/debian-installer/debian-installer_20150422+kbsd8u2+deb8u4.tar.gz

Note that source format 1.0 is only used because one is not specified in
debian/source/format.  dpkg-source(1) recommends to specify a version and
the lack of a debian/source/format file may be considered an error in
future.

dpkg-source(1) also recommends choosing a newer format.  3.0 (native)
by default already excludes VCS directories such as .git/ from the
generated tarball, already fixing the issue above.

3.0 (native) does however default to .tar.xz compression, rather than
.tar.gz as used at the moment.  I'm not sure if that may be an issue for
other tools.  Maybe they should be fixed in that case.  Or _if_ it's
preferred to still use .tar.gz, that could be specified in
debian/source/options:
compression = "gzip"

Attached is my proposed patch, for consideration.

Thanks!

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: kfreebsd-amd64 (x86_64)

Kernel: kFreeBSD 10.1-0-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
>From d74e62562b5814a496ff485c4ba4f6bbfa542a50 Mon Sep 17 00:00:00 2001
From: Steven Chamberlain 
Date: Wed, 12 Oct 2016 12:47:02 +
Subject: [PATCH] Switch to dpkg-source format 3.0 (native)

By default this will also exclude VCS directories like .git/ from the
generated source tarball.

This changes the default compression from .tar.gz to .tar.xz also.
---
 debian/source/format | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 debian/source/format

diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
-- 
2.1.4