Processed: Re: Bug#840523: debian-installer: undefined source format; .git/ may end up in source tarball
Processing control commands: > severity -1 wishlist Bug #840523 [src:debian-installer] debian-installer: undefined source format; .git/ may end up in source tarball Severity set to 'wishlist' from 'important' -- 840523: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840523 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#840523: debian-installer: undefined source format; .git/ may end up in source tarball
Control: severity -1 wishlist Cyril Brulebois wrote: > debcheckout's output lets you know you're getting a git repository. I'm > not sure running debuild -S without -i/-I makes this an important bug in > debian-installer… Ok, I see. This is perhaps only a desirable feature, then, for anyone who likes to work that way with Debian packages. > I don't like the idea of unneeded boilerplate in source packages just > because dpkg developers want to force v3 onto people so badly. I see. > In case someone wants to merge this, I would like to see this very > carefully reviewed for possible side effects. Getting an error during > the next release, or worse a regression only seen afterwards, would > really be annoying. Since I needed to make a new jessie-kfreebsd upload of debian-installer, stripping the .git/ directory out of the source tarball, I can try out this patch (3.0 native and .tar.xz) with that to begin with. Regards, -- Steven Chamberlain ste...@pyro.eu.org signature.asc Description: Digital signature
Bug#840523: debian-installer: undefined source format; .git/ may end up in source tarball
Steven Chamberlain(2016-10-12): > Suppose a debian-installer source package is produced this way: > > $ debcheckout debian-installer > $ cd debian-installer > $ debuild -S > [...] > dpkg-source: warning: no source format specified in debian/source/format, see > dpkg-source(1) > dpkg-source: warning: source directory 'debian-installer' is not > - 'debian-installer-20160704' > dpkg-source: info: using source format '1.0' > dpkg-source: info: building debian-installer in > debian-installer_20160704.tar.gz > dpkg-source: info: building debian-installer in debian-installer_20160704.dsc > > In source format 1.0, dpkg-source does *not* exclude the .git/ directory > from the generated tarball! So if you built the source package that way, > your Git working tree's refs and config are all included in the upload, > which happened with my uploads here: > http://ftp.debian.org/debian/pool/main/d/debian-installer/debian-installer_20150422+kbsd8u2.tar.gz > http://ftp.debian.org/debian/pool/main/d/debian-installer/debian-installer_20150422+kbsd8u2+deb8u4.tar.gz debcheckout's output lets you know you're getting a git repository. I'm not sure running debuild -S without -i/-I makes this an important bug in debian-installer… > Note that source format 1.0 is only used because one is not specified in > debian/source/format. dpkg-source(1) recommends to specify a version and > the lack of a debian/source/format file may be considered an error in > future. I don't like the idea of unneeded boilerplate in source packages just because dpkg developers want to force v3 onto people so badly. > dpkg-source(1) also recommends choosing a newer format. 3.0 (native) > by default already excludes VCS directories such as .git/ from the > generated tarball, already fixing the issue above. > > 3.0 (native) does however default to .tar.xz compression, rather than > .tar.gz as used at the moment. I'm not sure if that may be an issue for > other tools. Maybe they should be fixed in that case. Or _if_ it's > preferred to still use .tar.gz, that could be specified in > debian/source/options: > compression = "gzip" scripts/debian/byhand-di doesn't seem to look at something which isn't the images tarball; I'm not sure whether something else might needed being looked at. > Attached is my proposed patch, for consideration. In case someone wants to merge this, I would like to see this very carefully reviewed for possible side effects. Getting an error during the next release, or worse a regression only seen afterwards, would really be annoying. KiBi. signature.asc Description: Digital signature
Bug#840523: debian-installer: undefined source format; .git/ may end up in source tarball
Package: src:debian-installer Version: 20160704 Severity: important Tags: patch Hi! Suppose a debian-installer source package is produced this way: $ debcheckout debian-installer $ cd debian-installer $ debuild -S [...] dpkg-source: warning: no source format specified in debian/source/format, see dpkg-source(1) dpkg-source: warning: source directory 'debian-installer' is not - 'debian-installer-20160704' dpkg-source: info: using source format '1.0' dpkg-source: info: building debian-installer in debian-installer_20160704.tar.gz dpkg-source: info: building debian-installer in debian-installer_20160704.dsc In source format 1.0, dpkg-source does *not* exclude the .git/ directory from the generated tarball! So if you built the source package that way, your Git working tree's refs and config are all included in the upload, which happened with my uploads here: http://ftp.debian.org/debian/pool/main/d/debian-installer/debian-installer_20150422+kbsd8u2.tar.gz http://ftp.debian.org/debian/pool/main/d/debian-installer/debian-installer_20150422+kbsd8u2+deb8u4.tar.gz Note that source format 1.0 is only used because one is not specified in debian/source/format. dpkg-source(1) recommends to specify a version and the lack of a debian/source/format file may be considered an error in future. dpkg-source(1) also recommends choosing a newer format. 3.0 (native) by default already excludes VCS directories such as .git/ from the generated tarball, already fixing the issue above. 3.0 (native) does however default to .tar.xz compression, rather than .tar.gz as used at the moment. I'm not sure if that may be an issue for other tools. Maybe they should be fixed in that case. Or _if_ it's preferred to still use .tar.gz, that could be specified in debian/source/options: compression = "gzip" Attached is my proposed patch, for consideration. Thanks! -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: kfreebsd-amd64 (x86_64) Kernel: kFreeBSD 10.1-0-amd64 Locale: LANG=en_GB.UTF-8, LC_CTYPE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) >From d74e62562b5814a496ff485c4ba4f6bbfa542a50 Mon Sep 17 00:00:00 2001 From: Steven ChamberlainDate: Wed, 12 Oct 2016 12:47:02 + Subject: [PATCH] Switch to dpkg-source format 3.0 (native) By default this will also exclude VCS directories like .git/ from the generated source tarball. This changes the default compression from .tar.gz to .tar.xz also. --- debian/source/format | 1 + 1 file changed, 1 insertion(+) create mode 100644 debian/source/format diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 000..89ae9db --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) -- 2.1.4