Re: Simpler git workflow for packaging with upstreamless repositories

2024-12-09 Thread Sean Whitton
Hello,

On Sat 07 Dec 2024 at 05:50pm GMT, Holger Levsen wrote:

> On Sat, Dec 07, 2024 at 10:39:43PM +0500, Andrey Rakhmatullin wrote:
>> No, there is clearly no consensus on unifying any workflows. Everyone
>> thinks their workflow is superior and canneeds to stay.
>
> I agree with the first sentence but I think the 2nd sentence is too much 
> drama.
>
> Those many workflows exists for reasons, some good, some not so good.

Right.  And there are many package-specific needs.

-- 
Sean Whitton



Re: Simpler git workflow for packaging with upstreamless repositories

2024-12-09 Thread Jonathan Dowland

On Sat Dec 7, 2024 at 5:39 PM GMT, Andrey Rakhmatullin wrote:

No, there is clearly no consensus on unifying any workflows. Everyone
thinks their workflow is superior and canneeds to stay.


I'm more optimistic than this. I don't think we'll ever reach *one* 
workflow, but I think there may be a steadily emerging consensus about a 
common "highway" workflow. So long as it's not mandatory, and we 
recognise that many packages will not be suited to it, I hope even those 
who won't be transitioning to it would recognise the value of having it.


On Sat, Dec 07, 2024 at 02:34:20PM +0100, Andrea Pappacoda wrote:

Couldn't we decide to unify on a single "front end" command, which
chooses different backends automatically depending on the situation?


I can see the appeal of having a single "front-end" for this (and many 
other actions), especially for newcomers, but I think the general 
approach of introducing a new front-end wrapper would cause more harm 
than good.


--
Please do not CC me for listmail.

👱🏻  Jonathan Dowland
✎j...@debian.org
🔗   https://jmtd.net



Re: Simpler git workflow for packaging with upstreamless repositories

2024-12-07 Thread Holger Levsen
On Sat, Dec 07, 2024 at 10:39:43PM +0500, Andrey Rakhmatullin wrote:
> No, there is clearly no consensus on unifying any workflows. Everyone
> thinks their workflow is superior and canneeds to stay.

I agree with the first sentence but I think the 2nd sentence is too much drama.

Those many workflows exists for reasons, some good, some not so good.

Even if we agreed on the one superiour workflow tomorrow (which won't happen
just because some people think that would be a good idea, but let's assume so),
it would still take years to achieve.

Which is not to say that cannot be done, but changing 30k source packages
takes years, probably rather a decade. Changing 2000 people decades old
habbits will probably take even longer.

What could be done much more easily however, would be to agree on one
default recommended workflow & toolchain for NEW packages and people.

Maybe.

OTOH, some of us do this already, eg the rust team. And because we are the
Debian rust team, we also have exceptions to this rule... ;)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Klimakatastrophe bedeutet kompletter sozialer Kollaps.


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-12-07 Thread Alec Leamas

On 07/12/2024 14:34, Andrea Pappacoda wrote:

It seems that we're all agreeing on trying to unify our different 
workflows as much as possible. Why do we have `git deborig`, `gbp 
export-orig`, `origtargz`, etc.? Couldn't we decide to unify on a single 
"front end" command, which chooses different backends automatically 
depending on the situation?


It would be a starting point. To new contributors, we could say, for 
example, "to generate the tarball, just run origtargz", independently of 
whether they use gbp, git-debrebase, no git at all, etc.


Bye!



https://xkcd.com/927/

--alec



Re: Simpler git workflow for packaging with upstreamless repositories

2024-12-07 Thread Andrey Rakhmatullin
On Sat, Dec 07, 2024 at 02:34:20PM +0100, Andrea Pappacoda wrote:
> Hi all, I've tried catching up with the whole thread, but didn't fully yet.
> So excuse me if this has been asked/answered before.
> 
> On Tue Dec 3, 2024 at 3:40 AM CET, Sean Whitton wrote:
> > Then just make one: 'git deborig'.
> > 
> > I appreciate not everyone is happy with this, but it solves the problem.
> 
> It seems that we're all agreeing on trying to unify our different workflows
> as much as possible.

No, there is clearly no consensus on unifying any workflows. Everyone
thinks their workflow is superior and canneeds to stay.

> Why do we have `git deborig`, `gbp export-orig`, `origtargz`, etc.? 

They are parts of different incompatible workflows.

> Couldn't we decide to unify on a single "front end" command, which
> chooses different backends automatically depending on the situation?

That seems unlikely.
It can't be a command that runs the full workflow and it can't be a set of
separate commands that run separate parts of different workflows because
the parts themselves are unlikely to be possible to uinify.

> It would be a starting point. To new contributors, we could say, for
> example, "to generate the tarball, just run origtargz", independently of
> whether they use gbp, git-debrebase, no git at all, etc.

Ideally one shouldn't need to run any separate commands to generate the
tarball from a repo. E.g. the gbp workflow doesn't require this.
Additionally, e.g. gbp expects the tarball to be in the build-dir, while
no unrelated tools could know the location of the gbp build-dir.
See?

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-12-07 Thread Andrea Pappacoda
Hi all, I've tried catching up with the whole thread, but didn't fully 
yet. So excuse me if this has been asked/answered before.


On Tue Dec 3, 2024 at 3:40 AM CET, Sean Whitton wrote:

Then just make one: 'git deborig'.

I appreciate not everyone is happy with this, but it solves the 
problem.


It seems that we're all agreeing on trying to unify our different 
workflows as much as possible. Why do we have `git deborig`, `gbp 
export-orig`, `origtargz`, etc.? Couldn't we decide to unify on a single 
"front end" command, which chooses different backends automatically 
depending on the situation?


It would be a starting point. To new contributors, we could say, for 
example, "to generate the tarball, just run origtargz", independently of 
whether they use gbp, git-debrebase, no git at all, etc.


Bye!



Re: Simpler git workflow for packaging with upstreamless repositories

2024-12-03 Thread Andrey Rakhmatullin
On Tue, Dec 03, 2024 at 10:40:03AM +0800, Sean Whitton wrote:
> >> > One possible rebuttal to this is "gbp needs to do the right thing then".
> >> > Currently gbp by default generates a broken tarball, which is also a
> >> > source of confusion for many.
> >>
> >> Do you have a bug report number?
> >
> > No.
> > I've found #902249 which is titled "Pull tarballs from the archive (or
> > upstream location)", maybe that's the one you think about. I haven't read
> > it, except for the "I hoped we could stay out of that business in 2018 but
> > since tarballs are still _the_ _thing_ in Debian" line, which I liked.
> >
> > For the avoidance of doubt, I don't think gbp *can* do the right thing
> > there. It's not my rebuttal. Maybe gbp should just refuse to generate a
> > random tarball from a commit-ish and let^Wrequire people to provide one or
> > provide a way to generate one in a correct way.
> 
> 'origtargz' from devscripts usually does the right thing.

Yeah, but it's a separate command. Some parts of this discussion are
specifically about the straightforward gbp-clone+gbp-buildpackage workflow.

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-12-02 Thread Sean Whitton
Hello,

On Thu 28 Nov 2024 at 10:29am -10, Theodore Ts'o wrote:

> *) As much as possible, we want to be able to use the unmodified
>source files are officially released by upstream.  Which might be a
>tarball and/or a signed git tag.

I ignore this completely, and I'm not the only one.

Even for traditionally maintained software like Emacs, Rob and I push
upstream-signed git tags to dgit.debian.org instead, and use 'git
archive' to generate a tarball to satisfy dak.

-- 
Sean Whitton


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-12-02 Thread Sean Whitton
Hello,

On Tue 26 Nov 2024 at 11:20pm +05, Andrey Rakhmatullin wrote:

> The archive, when the tarball is already there.
>
> These suggestions never discuss what to do when the tarball was never
> uploaded yet, even I didn't discuss that for simplicity.

Then just make one: 'git deborig'.

I appreciate not everyone is happy with this, but it solves the problem.

-- 
Sean Whitton



Re: Simpler git workflow for packaging with upstreamless repositories

2024-12-02 Thread Sean Whitton
Hello,

On Tue 26 Nov 2024 at 11:28pm +05, Andrey Rakhmatullin wrote:

> On Tue, Nov 26, 2024 at 06:53:01PM +0100, Mechtilde Stehmann wrote:
>> > One possible rebuttal to this is "gbp needs to do the right thing then".
>> > Currently gbp by default generates a broken tarball, which is also a
>> > source of confusion for many.
>>
>> Do you have a bug report number?
>
> No.
> I've found #902249 which is titled "Pull tarballs from the archive (or
> upstream location)", maybe that's the one you think about. I haven't read
> it, except for the "I hoped we could stay out of that business in 2018 but
> since tarballs are still _the_ _thing_ in Debian" line, which I liked.
>
> For the avoidance of doubt, I don't think gbp *can* do the right thing
> there. It's not my rebuttal. Maybe gbp should just refuse to generate a
> random tarball from a commit-ish and let^Wrequire people to provide one or
> provide a way to generate one in a correct way.

'origtargz' from devscripts usually does the right thing.

-- 
Sean Whitton



Re: Simpler git workflow for packaging with upstreamless repositories

2024-12-02 Thread Jonathan Dowland

On Wed Nov 27, 2024 at 4:30 AM GMT, Otto Kekäläinen wrote:

> How common debian/gbp.conf points at something else: perhaps gbp's
> defaults are not good, if that many packages need to override them.

First of all may I ask you to not use terms like 'not good' as it may
come off negative towards the maintainer of that software. Guido has
done an amazing job with git-buildpackage and we certainly want him to
continue iterating on it.


I was really surprised to receive this feedback. I agree with using 
intentional language and not denigrating other's work. I spent a few 
days reflecting on what I wrote and how you've responded to it, and I 
haven't come to a conclusion as to whether I agree with you or not. On 
the one hand, juxtaposing "not good" with "gbp" could be taken badly, 
and using something like "not correct" or "not appropriate" may have 
avoided that; on the other, I believe I was clear in expressing that I 
was talking about the software's defaults rather than the software 
itself.



I also suggest you to participate in gbp development, as currently it
is 95% Guido alone. At
https://salsa.debian.org/agx/git-buildpackage/-/commits/master you can
for example suggest changes to those defaults along with a migration
path, or you can help with just improving the documentation so people
more easily end up choosing the right options.


Presently I prefer not to use gbp, so I don't think this would be an 
efficient use of my time. I'm also undecided on whether gbp should be 
recommended as the default tool that we recommend to developers for 
managing packages. I feel that engaging with your efforts on DEP18, 
considering how to progress DEP14 and the related discussions on -devel

are a better use of my resource at the present moment.


Secondly, it is perfectly valid for evey single package to have a
debian/gbp.conf and I would in fact prefer that. For every upstream we
need to have metadata on:
- do they have tarball releases (pristine-tar true/false)


Please don't infer the answer to "does upstream have tarball releases"
from "pristine-tar true/false", as they are not the same thing. I'm sure 
there are packages repositories where upstream's tarball is ignored, a 
"git archive"-produced tarball, or a GitHub release-derived tarball, is
used instead, *and* the pristine-tar branch duly populated (which again 
is independent from whether the maintainers have provided a 
debian/gbp.conf with a pristine-tar key value in it.) Likewise there are 
package repositories where the packaging is based on an upstream tarball,
but pristine-tar is not used, and/or its use not documented in a 
debian/gbp.conf.


More generally I think the *right* place for much of this metadata is 
not gbp.conf but should be somewhere more tool-agnostic, at least unless 
we actually agree to elevate gbp to the status of "use this unless you 
have a very good reason not to".


--
Please do not CC me for listmail.

👱🏻  Jonathan Dowland
✎j...@debian.org
🔗   https://jmtd.net



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-29 Thread sre4ever

Le 2024-11-29 18:35, Jonas Smedegaard a écrit :

Quoting sre4e...@free.fr (2024-11-29 16:57:23)

opened 15 years and a few days ago.


Great that you took "filing a bugreport" to imply checking first if
the issue was already reported.


Well, the point I wanted to make here was more about the speculative

far better traction
of reporting bugs ... I would even dare to write that the continued 
existence of this bug report alone for more than 15 years, with all its 
comments, proves perfectly that you were wrong about that. And I do 
really think that this is really unfortunate, but that's still a sad and 
hard fact. Which doesn't imply that asking for the same thing on a 
mailing-list is any better in terms of getting things done.


Cheers,

--
Julien Plissonneau Duquène



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-29 Thread Jonas Smedegaard
Quoting sre4e...@free.fr (2024-11-29 16:57:23)
> Le 2024-11-29 15:12, Jonas Smedegaard a écrit :
> > Quoting sre4e...@free.fr (2024-11-29 13:29:05)
> >> 
> >> Would it be possible to make it the default when there is already an
> >> existing `pristine-tar` branch in the repo being worked on?
> > 
> > Please consider filing that as a bugreport against bit-buildpackage -
> > I suspect that has a far better traction than asking speculatively in
> > this mailinglist and assuming that others picks up your thought and 
> > does
> > that task for you.
> 
> That would be a duplicate though, someone else already had that great 
> idea: see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557606 
> opened 15 years and a few days ago.

Great that you took "filing a bugreport" to imply checking first if
the issue was already reported.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-29 Thread sre4ever

Le 2024-11-29 10:58, Simon Josefsson a écrit :

The only record of this is
indirectly with the maintainer signing the *.changes file during 
package

upload.  But that is weak (only successfully uploaded packages are
protected, not work-in-progress) and not widely audited (*.changes 
files

aren't stored forever, or are they?).


I would like to know that as well, and if there is an automatable way to 
retrieve them even long after they are processed.


Cheers,

--
Julien Plissonneau Duquène



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-29 Thread sre4ever

Le 2024-11-29 15:12, Jonas Smedegaard a écrit :

Quoting sre4e...@free.fr (2024-11-29 13:29:05)


Would it be possible to make it the default when there is already an
existing `pristine-tar` branch in the repo being worked on?


Please consider filing that as a bugreport against bit-buildpackage -
I suspect that has a far better traction than asking speculatively in
this mailinglist and assuming that others picks up your thought and 
does

that task for you.


That would be a duplicate though, someone else already had that great 
idea: see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557606 
opened 15 years and a few days ago.


Cheers,

--
Julien Plissonneau Duquène



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-29 Thread Jonas Smedegaard
Quoting sre4e...@free.fr (2024-11-29 13:29:05)
> Le 2024-11-29 03:17, Otto Kekäläinen a écrit :
> 
> > but right now I warmly recommend people use 'pristine-tar = True' in
> > their gbp.confs.
> 
> Would it be possible to make it the default when there is already an 
> existing `pristine-tar` branch in the repo being worked on?

Please consider filing that as a bugreport against bit-buildpackage -
I suspect that has a far better traction than asking speculatively in
this mailinglist and assuming that others picks up your thought and does
that task for you.

Kind regards, and thanks for the great idea,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-29 Thread sre4ever

Hi,

Le 2024-11-29 03:17, Otto Kekäläinen a écrit :


but right now I warmly recommend people use 'pristine-tar = True' in
their gbp.confs.


Would it be possible to make it the default when there is already an 
existing `pristine-tar` branch in the repo being worked on?


Cheers,

--
Julien Plissonneau Duquène



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-29 Thread Pirate Praveen
2024, നവം 29 7:48:10 AM Otto Kekäläinen :

> Thanks Pirate Praveen for providing the first actual concrete case in
> this thread where pristine-tar had some issue!
>
> I noticed an interesting thing about this case:
>
> ± origtargz --download-only
> pristine-tar: successfully generated
> ../node-cacache_17.0.3+~cs10.3.7.orig-npmcli-move-file.tar.gz
> pristine-tar: successfully generated
> ../node-cacache_17.0.3+~cs10.3.7.orig-npmcli-fs.tar.gz
> pristine-tar: successfully generated
> ../node-cacache_17.0.3+~cs10.3.7.orig-infer-owner.tar.gz
> pristine-tar: successfully generated
> ../node-cacache_17.0.3+~cs10.3.7.orig-gar-promisify.tar.gz
> pristine-tar: successfully generated
> ../node-cacache_17.0.3+~cs10.3.7.orig-fs-minipass.tar.gz
> fatal: ambiguous argument
> '60b4383b8c982ac64553f2754abaefe7ca7ebf79^{tree}': unknown revision or
> path not in the working tree.
> Use '--' to separate paths from revisions, like this:
> 'git  [...] -- [...]'
> fatal: not a valid object name: 
> 60b4383b8c982ac64553f2754abaefe7ca7ebf79^{tree}
> tar: This does not look like a tar archive
> tar: Exiting with failure status due to previous errors
> pristine-tar: command failed: git archive --format=tar
> 60b4383b8c982ac64553f2754abaefe7ca7ebf79\^\{tree\} | (cd
> '/tmp/pristine-tar.obWgetreHi' && tar x)
>
> ± git show 60b4383b8c982ac64553f2754abaefe7ca7ebf79
> fatal: bad object 60b4383b8c982ac64553f2754abaefe7ca7ebf79
>
> ± git fetch origin 60b4383b8c982ac64553f2754abaefe7ca7ebf79
> fatal: remote error: upload-pack: not our ref
> 60b4383b8c982ac64553f2754abaefe7ca7ebf79
> fatal: the remote end hung up unexpectedly
>
> ± gbp export-orig --pristine-tar
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig.tar.gz
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-fs-minipass.tar.gz
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-infer-owner.tar.gz
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-npmcli-move-file.tar.gz
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-npmcli-fs.tar.gz
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-gar-promisify.tar.gz
>
> And then suddenly the git ref has emerged:
>
> ± git show a1567ff8077126b7aa8536b779e3e445ba367a49
> tree a1567ff8077126b7aa8536b779e3e445ba367a49
> .github/
> LICENSE.md
> README.md
> index.js
> package.json
> test/
>
> ± gbp export-orig --pristine-tar
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig.tar.gz
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-fs-minipass.tar.gz
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-infer-owner.tar.gz
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-npmcli-move-file.tar.gz
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-npmcli-fs.tar.gz
> gbp:info: Creating
> /home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-gar-promisify.tar.gz
>
> Also comparing output with what I manually downloaded from
> https://github.com/npm/cacache/releases/tag/v17.0.3
> $ sha256sum v17.0.3.tar.gz node-cacache_17.0.3+~cs10.3.7.orig.tar.gz
> 2daa2c943a9cf316eef10eda6883ac967ca32cc28de9decef147ea42bdc34283  
> v17.0.3.tar.gz
> 2daa2c943a9cf316eef10eda6883ac967ca32cc28de9decef147ea42bdc34283
> node-cacache_17.0.3+~cs10.3.7.orig.tar.gz
>
> Not sure what happened here. However in the end pristine-tar worked,
> and I was able to use it to verify the tarball. Longer notes in
> https://pad.debian.net/p/node-cacache-pristine-tar.
>
> There are however a lot of oddities in this package that makes it unusual
> - You don't have 'pristine-tar = True' in debian/gbp.conf. You should
> have it to enforce it is used and git pulled and git pushed
> consistently.
> - There is no README.source explaining what this '+~cs10.3.7' thing in
> the version is. I assumed you had repackaged something, but then also
> was surprised that it actuall was the same as upstream.
> - This package consists of the main package and 5 components that are
> all mangled together. Is that necessary? I am surpised such a complex
> thing actually seems to work

This is standard option of uscan documented in uscan man page.

>
> In summary: nothing in this is an argument to stop using pristine-tar
> in all packages. I think Theodore Ts'o also laid out pretty well all
> the benefits of pristine-tar and why it was originally developed, and
> those requirements and benefits still stand. Sure, we can in future
> also have other ways to do this in a future debian package format 3.1,
> but right now I warmly recommend people use 'pristine-tar = True' in
> their gbp.confs.

I only shared my experience of origtargz failing very commonly for me.


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-29 Thread Simon Josefsson
"Theodore Ts'o"  writes:

> Perhaps we could avoid talking past we formally had a list of
> requirements, and then match possible alternative approachs with how
> well they meet the agreed-upon requirements, and which requirements
> proponents want to dispense with because (at least for them), It's
> Just Not Worth It?

Yes please!  I suspect one root problem here is that people have
different conflicting requirements, and everyone primarily relate to
their own situation.

I often work in offline mode too, but never had any problem with the
download tarball approach.  After 'git clone' (which require internet)
the first thing I normally do is to attempt a build, and
git-buildpackage download the *.orig.tar.* automatically for me.  Then I
leave the tarball around on my laptop and never think about it.  It is
rare for me to happen to have a git repository of a package around and
not have its corresponding tarballs too, but workflows differ.

>> If we are worried about malicious upstreams replacing tarballs, or
>> man-in-the-middle attacks, I think my debian/upstream/*SUMS approach is
>> a more effective solution to that problem.
>
> Maybe... if there were tools that made it super easy to validate the
> tarball against the *SUMS files without needing to unpack the tarball
> first?

I think 'sha256sum -c mypackage-git-repository/debian/source/SHA256SUM'
should work if you have the tarballs in the current directory.

> Possibly with an inline GPG signature so we don't have to have
> separate SHA256SUM and SHA256SUM.asc files?  For bonus points, maybe
> also a tool that validates a SHA256SUM file with a git commit id,
> again without needing to do a "git checkout" first?
>
> I will note that this approach would break backwads compatibility with
> existing Debian source packaging, right?  That is, you're proposing
> that the debian/usptream/*SUMS file would replace the
> *.orig.tar.gz.asc file?

I don't think that works: the nice thing with *.orig.tar.gz.asc is that
we get upstream's signature file into Debian, allowing users to follow
the audit trail back to upstream.

My primary motivation is to make it possible to record under debian/ the
intended (by the package maintainer) checksums of the *.orig.tar.* and
(when they are different) upstream tarballs.  We don't have any way to
record that in debian/ today, I think.  The only record of this is
indirectly with the maintainer signing the *.changes file during package
upload.  But that is weak (only successfully uploaded packages are
protected, not work-in-progress) and not widely audited (*.changes files
aren't stored forever, or are they?).

/Simon


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Sean Whitton
Hello,

On Thu 28 Nov 2024 at 06:17pm -08, Otto Kekäläinen wrote:

> In summary: nothing in this is an argument to stop using pristine-tar
> in all packages. I think Theodore Ts'o also laid out pretty well all
> the benefits of pristine-tar and why it was originally developed, and
> those requirements and benefits still stand.

The very name of the tool is intended as an encouragement for us to move
away from tarballs.  It's making fun of Debian's attachment to upstream
tarballs.

-- 
Sean Whitton



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Otto Kekäläinen
Thanks Pirate Praveen for providing the first actual concrete case in
this thread where pristine-tar had some issue!

I noticed an interesting thing about this case:

± origtargz --download-only
pristine-tar: successfully generated
../node-cacache_17.0.3+~cs10.3.7.orig-npmcli-move-file.tar.gz
pristine-tar: successfully generated
../node-cacache_17.0.3+~cs10.3.7.orig-npmcli-fs.tar.gz
pristine-tar: successfully generated
../node-cacache_17.0.3+~cs10.3.7.orig-infer-owner.tar.gz
pristine-tar: successfully generated
../node-cacache_17.0.3+~cs10.3.7.orig-gar-promisify.tar.gz
pristine-tar: successfully generated
../node-cacache_17.0.3+~cs10.3.7.orig-fs-minipass.tar.gz
fatal: ambiguous argument
'60b4383b8c982ac64553f2754abaefe7ca7ebf79^{tree}': unknown revision or
path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git  [...] -- [...]'
fatal: not a valid object name: 60b4383b8c982ac64553f2754abaefe7ca7ebf79^{tree}
tar: This does not look like a tar archive
tar: Exiting with failure status due to previous errors
pristine-tar: command failed: git archive --format=tar
60b4383b8c982ac64553f2754abaefe7ca7ebf79\^\{tree\} | (cd
'/tmp/pristine-tar.obWgetreHi' && tar x)

± git show 60b4383b8c982ac64553f2754abaefe7ca7ebf79
fatal: bad object 60b4383b8c982ac64553f2754abaefe7ca7ebf79

± git fetch origin 60b4383b8c982ac64553f2754abaefe7ca7ebf79
fatal: remote error: upload-pack: not our ref
60b4383b8c982ac64553f2754abaefe7ca7ebf79
fatal: the remote end hung up unexpectedly

± gbp export-orig --pristine-tar
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig.tar.gz
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-fs-minipass.tar.gz
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-infer-owner.tar.gz
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-npmcli-move-file.tar.gz
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-npmcli-fs.tar.gz
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-gar-promisify.tar.gz

And then suddenly the git ref has emerged:

± git show a1567ff8077126b7aa8536b779e3e445ba367a49
tree a1567ff8077126b7aa8536b779e3e445ba367a49
.github/
LICENSE.md
README.md
index.js
package.json
test/

± gbp export-orig --pristine-tar
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig.tar.gz
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-fs-minipass.tar.gz
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-infer-owner.tar.gz
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-npmcli-move-file.tar.gz
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-npmcli-fs.tar.gz
gbp:info: Creating
/home/otto/debian/js-team/node-cacache_17.0.3+~cs10.3.7.orig-gar-promisify.tar.gz

Also comparing output with what I manually downloaded from
https://github.com/npm/cacache/releases/tag/v17.0.3
$ sha256sum v17.0.3.tar.gz node-cacache_17.0.3+~cs10.3.7.orig.tar.gz
2daa2c943a9cf316eef10eda6883ac967ca32cc28de9decef147ea42bdc34283  v17.0.3.tar.gz
2daa2c943a9cf316eef10eda6883ac967ca32cc28de9decef147ea42bdc34283
node-cacache_17.0.3+~cs10.3.7.orig.tar.gz

Not sure what happened here. However in the end pristine-tar worked,
and I was able to use it to verify the tarball. Longer notes in
https://pad.debian.net/p/node-cacache-pristine-tar.

There are however a lot of oddities in this package that makes it unusual
- You don't have 'pristine-tar = True' in debian/gbp.conf. You should
have it to enforce it is used and git pulled and git pushed
consistently.
- There is no README.source explaining what this '+~cs10.3.7' thing in
the version is. I assumed you had repackaged something, but then also
was surprised that it actuall was the same as upstream.
- This package consists of the main package and 5 components that are
all mangled together. Is that necessary? I am surpised such a complex
thing actually seems to work


In summary: nothing in this is an argument to stop using pristine-tar
in all packages. I think Theodore Ts'o also laid out pretty well all
the benefits of pristine-tar and why it was originally developed, and
those requirements and benefits still stand. Sure, we can in future
also have other ways to do this in a future debian package format 3.1,
but right now I warmly recommend people use 'pristine-tar = True' in
their gbp.confs.



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Theodore Ts'o
On Thu, Nov 28, 2024 at 10:35:49AM +0100, Simon Josefsson wrote:
> 
> I think this is a good example of us talking past each other in this
> thread: some people question the value of pristine in the first place
> (and I've been compelled by those arguments), and some people argue that
> the cost is small and there are no bugs (or at least lack of bug
> reports).

Our current system addresses a number of requirements, and it seems to
me that a number of the alternate solutions don't necessarily meet all
of the requirements.

Some of these requirements include:

*) We want an easy way to make sure the sources used to rebuild debian
   packages aren't maliciously modified.  We do this today via PGP
   signed tarballs.

*) As much as possible, we want to be able to use the unmodified
   source files are officially released by upstream.  Which might be a
   tarball and/or a signed git tag.

*) The sources that we redistribute alongside our binary packages must
   be DFSG compliant.  In some cases this might mean repacking the
   tar file, and might interfere with using upstream's official signed git
   tag.

*) We don't want to break the interface provided by "apt-get source" and
   debian source packages more generally.

I have my own personal requirements that might not be shared by
others.  For example, I don't like having to keep source tarballs
around when I need to rebuild debian packages, and tracking them down
by hand.  I also want to keep the storage overhead as much as possible
(hence, why I like pristine-tar).  And I want it to all work
automatically using my current build tools, which today is
git-buildpackage.  And finally, I am occasionally doing work in
network constrained environments (for example, while using my laptop
in an airplane), so I prefer to avoid solutions that start with "and
then we download the tar.gz file from the network".

Perhaps we could avoid talking past we formally had a list of
requirements, and then match possible alternative approachs with how
well they meet the agreed-upon requirements, and which requirements
proponents want to dispense with because (at least for them), It's
Just Not Worth It?

> If we are worried about malicious upstreams replacing tarballs, or
> man-in-the-middle attacks, I think my debian/upstream/*SUMS approach is
> a more effective solution to that problem.

Maybe... if there were tools that made it super easy to validate the
tarball against the *SUMS files without needing to unpack the tarball
first?  Possibly with an inline GPG signature so we don't have to have
separate SHA256SUM and SHA256SUM.asc files?  For bonus points, maybe
also a tool that validates a SHA256SUM file with a git commit id,
again without needing to do a "git checkout" first?

I will note that this approach would break backwads compatibility with
existing Debian source packaging, right?  That is, you're proposing
that the debian/usptream/*SUMS file would replace the
*.orig.tar.gz.asc file?

- Ted



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Andrey Rakhmatullin
On Thu, Nov 28, 2024 at 07:33:27PM +0530, Pirate Praveen wrote:
> 2024, നവം 28 5:46:47 PM Andrey Rakhmatullin :
> >
> >> Same works with
> >>
> >> pravi@mahishi2:/tmp/node-cacache$ gbp export-orig --pristine-tar
> >
> > Not sure what does this imply.
> 
> gbp is able to recreate the orig tars when origtargz fails. So it is a known 
> work around.

And if both call pristine-tar for this, I wonder what's the difference in
arguments (or what else could be different there?).

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Pirate Praveen
2024, നവം 28 5:46:47 PM Andrey Rakhmatullin :
>
>> Same works with
>>
>> pravi@mahishi2:/tmp/node-cacache$ gbp export-orig --pristine-tar
>
> Not sure what does this imply.

gbp is able to recreate the orig tars when origtargz fails. So it is a known 
work around.



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Chris Hofstaedtler
* Andrey Rakhmatullin  [241128 11:06]:
> On Thu, Nov 28, 2024 at 10:49:09AM +0100, gregor herrmann wrote:
> > > > As person B I don't want to go hunting for a tarball and place it in
> > > > the right place, I want gbp to re-create it from the pristine-tar
> > > > branch.
> > > Who cares? gbp export-orig takes care of it, unless you need to actually 
> > > upload it to the archive.

Just make sure to never use the upstream tarball then, given it
won't contain the same files. In your case where you don't start
with the upstream tarball it's -probably- fine, as long as nobody
then ventures into "use uscan"-land.

> > Often I want to upload it to the archive, that's quite typical in
> > teams: A uploads -1 and B uploads -2 with a bugfix or whatever.
> 
> The hypothetical change in the tools to silently download the tarball from
> the archive will make this easy.

Obviously these hyptothetical tools will also deal with all
previously uploaded versions correctly.

SCNR,
Chris



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Chris Hofstaedtler
* Paul Gevers  [241128 12:52]:
> Hi,
> 
> On 11/28/24 10:56, Pirate Praveen wrote:
> > pristine-tar almost always fail when there are multiple orig tar files.
> > I did not report bugs since the limitation of not working 100% is a
> > known issue already.
> 
> I'm surprised to hear this. src:cacti is using multiple orig tar files (2)
> for several years now and I've been using pristine-tar (via gbp) to store
> them.

But can you create the tarballs from that repo?

cacti $ git show pristine-tar
commit 1a42ec3d9772f93caa8b98cb78c5b0d2b0b320e9 (origin/pristine-tar, 
pristine-tar)
Author: Paul Gevers 
AuthorDate: Wed Oct 9 14:04:17 2024 +0200
Commit: Paul Gevers 
CommitDate: Wed Oct 9 14:04:17 2024 +0200

pristine-tar data for cacti_1.2.28+ds1.orig.tar.gz

diff --git a/cacti_1.2.28+ds1.orig.tar.gz.delta 
b/cacti_1.2.28+ds1.orig.tar.gz.delta
new file mode 100644
index ..382fe265
Binary files /dev/null and b/cacti_1.2.28+ds1.orig.tar.gz.delta differ
diff --git a/cacti_1.2.28+ds1.orig.tar.gz.id b/cacti_1.2.28+ds1.orig.tar.gz.id
new file mode 100644
index ..1fa49d3d
--- /dev/null
+++ b/cacti_1.2.28+ds1.orig.tar.gz.id
@@ -0,0 +1 @@
+979cace8c3b2467cdc418b849810b0ec2a54c7ae

cacti $ git show 979cace8c3b2467cdc418b849810b0ec2a54c7ae
fatal: bad object 979cace8c3b2467cdc418b849810b0ec2a54c7ae

...

I'll note that the tag upstream/1.2.28+ds1 points to 
6aa33682cc62c3fbb638ff85dc02bf531406de93 .

C.



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Andrey Rakhmatullin
On Thu, Nov 28, 2024 at 05:37:41PM +0530, Pirate Praveen wrote:
> This can now be reproduced with node-cacache
> 
> pravi@mahishi2:/tmp$ gbp clone --pristine-tar
> g...@salsa.debian.org:js-team/node-cacache.git
> gbp:info: Cloning from 'g...@salsa.debian.org:js-team/node-cacache.git'
> pravi@mahishi2:/tmp$ cd node-cacache/
> pravi@mahishi2:/tmp/node-cacache$ less debian/gbp.conf
> pravi@mahishi2:/tmp/node-cacache$ origtargz
> pristine-tar: successfully generated
> ../node-cacache_17.0.3+~cs10.3.7.orig-npmcli-move-file.tar.gz
> pristine-tar: successfully generated
> ../node-cacache_17.0.3+~cs10.3.7.orig-npmcli-fs.tar.gz
> pristine-tar: successfully generated
> ../node-cacache_17.0.3+~cs10.3.7.orig-infer-owner.tar.gz
> pristine-tar: successfully generated
> ../node-cacache_17.0.3+~cs10.3.7.orig-gar-promisify.tar.gz
> pristine-tar: successfully generated
> ../node-cacache_17.0.3+~cs10.3.7.orig-fs-minipass.tar.gz
> fatal: ambiguous argument '60b4383b8c982ac64553f2754abaefe7ca7ebf79^{tree}':
> unknown revision or path not in the working tree.

node-cacache_17.0.3+~cs10.3.7.orig.tar.gz.id contains that hash and there
is indeed no object with that has in that repo. So I guess the main
question is how was this repo generated.

> Same works with
> 
> pravi@mahishi2:/tmp/node-cacache$ gbp export-orig --pristine-tar

Not sure what does this imply.

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Pirate Praveen




On 11/28/24 5:29 PM, Pirate Praveen wrote:



On 11/28/24 5:22 PM, Paul Gevers wrote:

Hi,

On 11/28/24 10:56, Pirate Praveen wrote:
pristine-tar almost always fail when there are multiple orig tar 
files. I did not report bugs since the limitation of not working 100% 
is a known issue already.


I'm surprised to hear this. src:cacti is using multiple orig tar files 
(2) for several years now and I've been using pristine-tar (via gbp) 
to store them.


Do you import them using gbp import-orig --pristine-tar as well? or just 
pristine-tar commit?



Paul

https://salsa.debian.org/debian/cacti/-/tree/pristine-tar?ref_type=heads





This can now be reproduced with node-cacache

pravi@mahishi2:/tmp$ gbp clone --pristine-tar 
g...@salsa.debian.org:js-team/node-cacache.git

gbp:info: Cloning from 'g...@salsa.debian.org:js-team/node-cacache.git'
pravi@mahishi2:/tmp$ cd node-cacache/
pravi@mahishi2:/tmp/node-cacache$ less debian/gbp.conf
pravi@mahishi2:/tmp/node-cacache$ origtargz
pristine-tar: successfully generated 
../node-cacache_17.0.3+~cs10.3.7.orig-npmcli-move-file.tar.gz
pristine-tar: successfully generated 
../node-cacache_17.0.3+~cs10.3.7.orig-npmcli-fs.tar.gz
pristine-tar: successfully generated 
../node-cacache_17.0.3+~cs10.3.7.orig-infer-owner.tar.gz
pristine-tar: successfully generated 
../node-cacache_17.0.3+~cs10.3.7.orig-gar-promisify.tar.gz
pristine-tar: successfully generated 
../node-cacache_17.0.3+~cs10.3.7.orig-fs-minipass.tar.gz
fatal: ambiguous argument 
'60b4383b8c982ac64553f2754abaefe7ca7ebf79^{tree}': unknown revision or 
path not in the working tree.

Use '--' to separate paths from revisions, like this:
'git  [...] -- [...]'
fatal: not a valid object name: 
60b4383b8c982ac64553f2754abaefe7ca7ebf79^{tree}

tar: This does not look like a tar archive
tar: Exiting with failure status due to previous errors
pristine-tar: command failed: git archive --format=tar 
60b4383b8c982ac64553f2754abaefe7ca7ebf79\^\{tree\} | (cd 
'/tmp/pristine-tar.nbS9WwWNUi' && tar x)


debian/gbp.conf which defines the extra orig tars,

[DEFAULT]
component=['fs-minipass', 'infer-owner', 'npmcli-move-file', 
'npmcli-fs', 'gar-promisify']


[import-orig]
filter=.gitignore

Then this is imported with gbp import-orig --pristine-tar

Same works with

pravi@mahishi2:/tmp/node-cacache$ gbp export-orig --pristine-tar
gbp:info: Creating /tmp/node-cacache_17.0.3+~cs10.3.7.orig.tar.gz
gbp:info: Creating 
/tmp/node-cacache_17.0.3+~cs10.3.7.orig-fs-minipass.tar.gz
gbp:info: Creating 
/tmp/node-cacache_17.0.3+~cs10.3.7.orig-infer-owner.tar.gz
gbp:info: Creating 
/tmp/node-cacache_17.0.3+~cs10.3.7.orig-npmcli-move-file.tar.gz

gbp:info: Creating /tmp/node-cacache_17.0.3+~cs10.3.7.orig-npmcli-fs.tar.gz
gbp:info: Creating 
/tmp/node-cacache_17.0.3+~cs10.3.7.orig-gar-promisify.tar.gz




Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Pirate Praveen




On 11/28/24 5:22 PM, Paul Gevers wrote:

Hi,

On 11/28/24 10:56, Pirate Praveen wrote:
pristine-tar almost always fail when there are multiple orig tar 
files. I did not report bugs since the limitation of not working 100% 
is a known issue already.


I'm surprised to hear this. src:cacti is using multiple orig tar files 
(2) for several years now and I've been using pristine-tar (via gbp) to 
store them.


Do you import them using gbp import-orig --pristine-tar as well? or just 
pristine-tar commit?



Paul

https://salsa.debian.org/debian/cacti/-/tree/pristine-tar?ref_type=heads





Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Paul Gevers

Hi,

On 11/28/24 10:56, Pirate Praveen wrote:
pristine-tar almost always fail when there are multiple orig tar files. 
I did not report bugs since the limitation of not working 100% is a 
known issue already.


I'm surprised to hear this. src:cacti is using multiple orig tar files 
(2) for several years now and I've been using pristine-tar (via gbp) to 
store them.


Paul

https://salsa.debian.org/debian/cacti/-/tree/pristine-tar?ref_type=heads



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread gregor herrmann
On Thu, 28 Nov 2024 15:06:15 +0500, Andrey Rakhmatullin wrote:

> > Often I want to upload it to the archive, that's quite typical in
> > teams: A uploads -1 and B uploads -2 with a bugfix or whatever.
> The hypothetical change in the tools to silently download the tarball from
> the archive will make this easy.

Oh, sure, and I'm not wedded to pristine-tar or gbp using the
pristine-tar branch. I just want to say that working in teams
requires easy access to the identical .orig.tar.*, and "easy" for me
also means "automatic" (in contrast to "download from somewhere and
put it in some directory manually").


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   BOFH excuse #399:  We are a 100% Microsoft Shop. 



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Andrey Rakhmatullin
On Thu, Nov 28, 2024 at 10:49:09AM +0100, gregor herrmann wrote:
> > > As person B I don't want to go hunting for a tarball and place it in
> > > the right place, I want gbp to re-create it from the pristine-tar
> > > branch.
> > Who cares? gbp export-orig takes care of it, unless you need to actually 
> > upload it to the archive.
>  
> Often I want to upload it to the archive, that's quite typical in
> teams: A uploads -1 and B uploads -2 with a bugfix or whatever.

The hypothetical change in the tools to silently download the tarball from
the archive will make this easy.

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Pirate Praveen
2024, നവം 28 3:06:13 PM Simon Josefsson :
> I think this is a good example of us talking past each other in this
> thread: some people question the value of pristine in the first place
> (and I've been compelled by those arguments), and some people argue that
> the cost is small and there are no bugs (or at least lack of bug
> reports).
>

pristine-tar almost always fail when there are multiple orig tar files. I did 
not report bugs since the limitation of not working 100% is a known issue 
already.

Many packages in js-team and gitlab package is an example.

In some cases when origtargz command fails, gbp export-orig --pristine-tar 
works. Again this incompatibility between using pristine-tar directly and gbp 
export-orig seems like a known issue.

A simple fix would probably for origtargz to fall back to gbp export-orig if 
pristine-tar fail.


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread gregor herrmann
On Thu, 28 Nov 2024 09:41:53 +0100, Marco d'Itri wrote:

> On Nov 27, gregor herrmann  wrote:
> > As person B I don't want to go hunting for a tarball and place it in
> > the right place, I want gbp to re-create it from the pristine-tar
> > branch.
> Who cares? gbp export-orig takes care of it, unless you need to actually 
> upload it to the archive.
 
Often I want to upload it to the archive, that's quite typical in
teams: A uploads -1 and B uploads -2 with a bugfix or whatever.


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   BOFH excuse #229:  wrong polarity of neutron flow 



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Simon Josefsson
"Theodore Ts'o"  writes:

> On Tue, Nov 26, 2024 at 04:27:37PM +0100, Simon Josefsson wrote:
>> I have never understood what value there is in duplicating the uploaded
>> tarball in the git repository.
>
> The actual cost of storing the pristine tarball is quite small.

I think this is a good example of us talking past each other in this
thread: some people question the value of pristine in the first place
(and I've been compelled by those arguments), and some people argue that
the cost is small and there are no bugs (or at least lack of bug
reports).

> For example:
>
> commit 91c7ab39337da63371b4814bef2b2aaf85a9e37c (origin/pristine-tar, 
> pristine-tar)
> Author: Theodore Ts'o 
> Date:   Mon May 20 23:12:54 2024 -0400
>
> pristine-tar data for e2fsprogs_1.47.1.orig.tar.gz
>
>  e2fsprogs_1.47.1.orig.tar.gz.asc   |  11 +++
>  e2fsprogs_1.47.1.orig.tar.gz.delta | Bin 0 -> 63961 bytes
>  e2fsprogs_1.47.1.orig.tar.gz.id|   1 +
>  3 files changed, 12 insertions(+)
>
> Compare if I had to keep all of the old release tarballs around:
>
> 9.5M e2fsprogs-1.47.1.tar.gz
>
> The reason why I find pristine-tar *super* valuable is because it
> stashes the signed tarball and tarball in a highly efficient way, and
> which can be easily backed up by just doing a "git push" to github /
> git.kernel.org / salsa.  I can then just kick off a git-buildpackage
> in a super-convenient way, so the tooling is quite mature and
> convenient for development velocity.
>
> I could imagine an alternate way of generating data for
> git-buildpackage, by replacing the pristine with something that stores
> the detached GPG signature, and then a shell script which generates
> the orig.tar.gz, for example at [1].  But now we'd have third-party
> users who want to rebuild the debian packages from source executing an
> arbitrary shell script found in the git repository to generate the
> orig.tar.gz file, which would be a security nightmare.  Pristine-tar
> is a much better from that perspective.
>
> [1] https://github.com/tytso/e2fsprogs/blob/master/util/gen-git-tarball

Yeah, this is nice, but I appear to have all of that with
git-pbuildpackage, uscan, origtargz etc downloading the upstream tarball
automatically already today.

If we are worried about malicious upstreams replacing tarballs, or
man-in-the-middle attacks, I think my debian/upstream/*SUMS approach is
a more effective solution to that problem.  Pristine-tar seems like a
tool-centric solution that isn't used elsewhere in the FOSS ecosystem.
Hash checksums are widely used to solve the security concerns, and
people know about those concepts even without learning anything about
Debian let alone git-buildpackage or pristine-tar.

If we are worried about upstreams going away so the tarball URLs doesn't
work, I like the Guix approach to 1) store hash checksums and 2) a
mirror system that fall back to the Software Heritage.  That also uses
known established concepts (SHA256 hashes + URL list) to solve the
problem, without having to learn git-buildpackage or pristine-tar.

/Simon


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Andrey Rakhmatullin
On Thu, Nov 28, 2024 at 09:41:53AM +0100, Marco d'Itri wrote:
> On Nov 27, gregor herrmann  wrote:
> 
> > As person B I don't want to go hunting for a tarball and place it in
> > the right place, I want gbp to re-create it from the pristine-tar
> > branch.
> Who cares? gbp export-orig takes care of it, unless you need to actually 
> upload it to the archive.

(only if the file contents inside those are identical)



-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Marco d'Itri
On Nov 27, gregor herrmann  wrote:

> As person B I don't want to go hunting for a tarball and place it in
> the right place, I want gbp to re-create it from the pristine-tar
> branch.
Who cares? gbp export-orig takes care of it, unless you need to actually 
upload it to the archive.

-- 
ciao,
Marco


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-28 Thread Theodore Ts'o
On Tue, Nov 26, 2024 at 04:27:37PM +0100, Simon Josefsson wrote:
> I have never understood what value there is in duplicating the uploaded
> tarball in the git repository.

The actual cost of storing the pristine tarball is quite small.  For
example:

commit 91c7ab39337da63371b4814bef2b2aaf85a9e37c (origin/pristine-tar, 
pristine-tar)
Author: Theodore Ts'o 
Date:   Mon May 20 23:12:54 2024 -0400

pristine-tar data for e2fsprogs_1.47.1.orig.tar.gz

 e2fsprogs_1.47.1.orig.tar.gz.asc   |  11 +++
 e2fsprogs_1.47.1.orig.tar.gz.delta | Bin 0 -> 63961 bytes
 e2fsprogs_1.47.1.orig.tar.gz.id|   1 +
 3 files changed, 12 insertions(+)

Compare if I had to keep all of the old release tarballs around:

9.5M e2fsprogs-1.47.1.tar.gz

The reason why I find pristine-tar *super* valuable is because it
stashes the signed tarball and tarball in a highly efficient way, and
which can be easily backed up by just doing a "git push" to github /
git.kernel.org / salsa.  I can then just kick off a git-buildpackage
in a super-convenient way, so the tooling is quite mature and
convenient for development velocity.

I could imagine an alternate way of generating data for
git-buildpackage, by replacing the pristine with something that stores
the detached GPG signature, and then a shell script which generates
the orig.tar.gz, for example at [1].  But now we'd have third-party
users who want to rebuild the debian packages from source executing an
arbitrary shell script found in the git repository to generate the
orig.tar.gz file, which would be a security nightmare.  Pristine-tar
is a much better from that perspective.

[1] https://github.com/tytso/e2fsprogs/blob/master/util/gen-git-tarball

Cheers,

- Ted



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread Chris Hofstaedtler
* Marc Haber  [241127 13:52]:
> On Wed, Nov 27, 2024 at 01:48:33PM +0100, Chris Hofstaedtler wrote:
> > * Marc Haber  [241127 13:28]:
> > > On Wed, Nov 27, 2024 at 04:58:00PM +0500, Andrey Rakhmatullin wrote:
> > > > Yup, as I said it makes sense. It just feels fragile to me when the
> > > > "pristine" tarball for a given upstream tag in a given repo is not
> > > > determined until someone uploads it.
> > > 
> > > I would love to have a possibility to just push a new upstream tarball
> > > into the archive at the very beginning of the process of packaging the
> > > new upstream version (and without triggering anything else in Debian).
> > 
> > I hear what you're saying, but in the end it is still a workaround,
> > right?
> 
> It's just "putting a nail" into a new upstream version.
> 
> > Just uploading a new tarball with every debian revision seems so
> > much more straightforward.
> 
> That means that the upstream tarball is possible to get wrong with any
> new upload. I am not sure whether I like that.

At least for some packages, what I consider the interesting part is the
contents of the "upstream" branch, and not what is in upstream's
tarball.

> I might motivate me,
> though, to finally explore which of the tools I am holding wrong with
> upstream tarball handling.

Reconciling these things seems like a lot of busywork, as you said.

While I haven't given up on pristine-tar yet, this thread pushes my
motivation towards exploring the +dfsgN-1 idea "fo' real".

Chris



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread Marc Haber
On Wed, Nov 27, 2024 at 01:48:33PM +0100, Chris Hofstaedtler wrote:
> * Marc Haber  [241127 13:28]:
> > On Wed, Nov 27, 2024 at 04:58:00PM +0500, Andrey Rakhmatullin wrote:
> > > Yup, as I said it makes sense. It just feels fragile to me when the
> > > "pristine" tarball for a given upstream tag in a given repo is not
> > > determined until someone uploads it.
> > 
> > I would love to have a possibility to just push a new upstream tarball
> > into the archive at the very beginning of the process of packaging the
> > new upstream version (and without triggering anything else in Debian).
> 
> I hear what you're saying, but in the end it is still a workaround,
> right?

It's just "putting a nail" into a new upstream version.

> Just uploading a new tarball with every debian revision seems so
> much more straightforward.

That means that the upstream tarball is possible to get wrong with any
new upload. I am not sure whether I like that. I might motivate me,
though, to finally explore which of the tools I am holding wrong with
upstream tarball handling.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread Chris Hofstaedtler
* Marc Haber  [241127 13:28]:
> On Wed, Nov 27, 2024 at 04:58:00PM +0500, Andrey Rakhmatullin wrote:
> > Yup, as I said it makes sense. It just feels fragile to me when the
> > "pristine" tarball for a given upstream tag in a given repo is not
> > determined until someone uploads it.
> 
> I would love to have a possibility to just push a new upstream tarball
> into the archive at the very beginning of the process of packaging the
> new upstream version (and without triggering anything else in Debian).

I hear what you're saying, but in the end it is still a workaround,
right?

Just uploading a new tarball with every debian revision seems so
much more straightforward.

I know, some packages might have huge tarballs. On the other hand,
some packages like src:linux seem to get a new tarball each time
anyway (because often there's no -2?).

I imagine each package can do this today, by producing an
+dfsg-1 version for each upload ...

Chris



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread Marc Haber
On Wed, Nov 27, 2024 at 04:58:00PM +0500, Andrey Rakhmatullin wrote:
> Yup, as I said it makes sense. It just feels fragile to me when the
> "pristine" tarball for a given upstream tag in a given repo is not
> determined until someone uploads it.

I would love to have a possibility to just push a new upstream tarball
into the archive at the very beginning of the process of packaging the
new upstream version (and without triggering anything else in Debian).

I have done -0 experimental uploads just for the sake of the
orig.tar.gz.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread Andrey Rakhmatullin
On Tue, Nov 26, 2024 at 08:30:31PM -0800, Otto Kekäläinen wrote:
> > > > One possible rebuttal to this is "gbp needs to do the right thing then".
> > > > Currently gbp by default generates a broken tarball, which is also a
> > > > source of confusion for many.
> > >
> > > Do you have a bug report number?
> >
> > No.
> > I've found #902249 which is titled "Pull tarballs from the archive (or
> > upstream location)", maybe that's the one you think about. I haven't read
> > it, except for the "I hoped we could stay out of that business in 2018 but
> > since tarballs are still _the_ _thing_ in Debian" line, which I liked.
> >
> > For the avoidance of doubt, I don't think gbp *can* do the right thing
> > there. It's not my rebuttal. Maybe gbp should just refuse to generate a
> > random tarball from a commit-ish and let^Wrequire people to provide one or
> > provide a way to generate one in a correct way.
> 
> I often hear this complaint about pristine-tar, but I don't take it
> seriously until somebody actually files a bug report and has a
> reproducible case. For every single package I maintain I use
> pristine-tar and it works correctly.

Maybe you (and maybe some other people too?) misunderstood what I meant.
I meant that if the repo doesn't enable pristine-tar via d/gbp.conf and
you didn't enable it globally on your system then by default building that
repo will generate and use a tarball that is not identical to the one in
the archive.

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread Gioele Barabucci

On 27/11/24 04:30, Otto Kekäläinen wrote:

Secondly, it is perfectly valid for evey single package to have a
debian/gbp.conf and I would in fact prefer that. For every upstream we
need to have metadata on:
- do they have tarball releases (pristine-tar true/false)
- do they have git tags and what is the format (upstream-vcs-tag)
- are those git tags expected to be signed or not (upstream-signatures on/off)


It's great that these important pieces of information can be stored in 
d/gbp.conf (and I will keep doing it), but this information should 
really be stored somewhere in d/upstream/metadata.


On the same topic, many people have asked in the past for a 
machine-readable and tooling-independent way to specify:


a) information about the way upstream does releases and,
b) the packaging workflow used by that package manager.

For some, this documentation would be a step-stop towards a standardized 
workflow. For others, it would act as a replacement for a standardized 
workflow.


We should really start a discussion on a "formalized README.source.md".

Regards,

--
Gioele Barabucci



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread Andrey Rakhmatullin
On Tue, Nov 26, 2024 at 08:49:44PM +0100, Simon Josefsson wrote:
> >> > >> > Yes, as they don't enable pristine-tar
> >> > >> 
> >> > >> Is pristine-tar still valuable these days?
> >> > >
> >> > > Unfortunately yes. AFAIK the two options for fixing this that are
> >> > > usually proposed are:
> >> > >
> >> > > 1) treat it as a problem of each individual developer, just like
> >> > > pristine-tar. Instead of pristine-tar, invent new tooling to manage
> >> > > tarballs.
> >> > > This path often tries to solve the problem only for Debian and only
> >> > > in a narrow scenario.
> >> > >
> >> > > 2) Have all uploads always supply a new orig.tar.gz. This could mean
> >> > > either treating every package as Debian-native, or some other
> >> > > solution.
> >> > > This is a global solution and reduces complexity instead of adding
> >> > > to it.
> >> > 
> >> > Until we record expected upstream tarball hashes in a debian/* file, an
> >> > acceptable approach seems to be to skip the pristine-tar branch and be
> >> > sure to download the previous orig.tar.* + orig.tar.*.asc from the
> >> > Debian archive, instead of attempting to re-generate it from the
> >> > upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible).
> >> 
> >> This is 1). It cannot be done generically as it requires knowing
> >> where to download from, etc.
> >
> > The archive, when the tarball is already there.
> >
> > These suggestions never discuss what to do when the tarball was never
> > uploaded yet, even I didn't discuss that for simplicity. It makes sense
> > from some PoVs, at least when one doesn't use pristine-tar to make a
> > tarball that has differences in the actual content, not just bit
> > differences in the tarball itself while have identical file contents.
> 
> If you haven't made an upload, then wouldn't you have the tarball
> locally while working on preparing the upload?
> 
> And if someone doesn't have the orig.tar.gz locally, then why would
> anyone want to get it from a random git repository, rather than fetching
> it from the Debian archive or from upstream's release page?  What is the
> use-case here that am I missing?

Yup, as I said it makes sense. It just feels fragile to me when the
"pristine" tarball for a given upstream tag in a given repo is not
determined until someone uploads it.
And, as I also said, there are use cases (arguably buggy) when the tarball
contents is actually modified.

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread Marc Haber
On Tue, Nov 26, 2024 at 08:49:44PM +0100, Simon Josefsson wrote:
> Andrey Rakhmatullin  writes:
> > On Tue, Nov 26, 2024 at 06:54:18PM +0100, Chris Hofstaedtler wrote:
> >> This is 1). It cannot be done generically as it requires knowing
> >> where to download from, etc.
> >
> > The archive, when the tarball is already there.
> >
> > These suggestions never discuss what to do when the tarball was never
> > uploaded yet, even I didn't discuss that for simplicity. It makes sense
> > from some PoVs, at least when one doesn't use pristine-tar to make a
> > tarball that has differences in the actual content, not just bit
> > differences in the tarball itself while have identical file contents.
> 
> If you haven't made an upload, then wouldn't you have the tarball
> locally while working on preparing the upload?
> 
> And if someone doesn't have the orig.tar.gz locally, then why would
> anyone want to get it from a random git repository, rather than fetching
> it from the Debian archive or from upstream's release page?  What is the
> use-case here that am I missing?

.orig.tar tarball handling is a horrible mess. I have been a DD for two
decades, have experienced at least three methods to handle them, and
still, upstream tarballs get put by tools in a place where other tools
don't expect them, get misnamed, are compressed by one tool in a format
that the next tool doesn't understand (yet/any more). It invariably
always takes me at least a second try to get it right, and I would LOVE
that having a pristine-tar branch would make me get rid of this chaos by
just rebuilding the .orig.tar.gz if it isnt found in a place where $TOOL
expects it.

It's only a major nuisance compared to others that we have in the
project, but if I had an Euro for every time I have sighed and mv'ed a
tarball, I'd be rich and be able to work almost full time on Debian.

Greetings
Marc


-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread Simon Josefsson
gregor herrmann  writes:

> On Tue, 26 Nov 2024 20:49:44 +0100, Simon Josefsson wrote:
>
>> If you haven't made an upload, then wouldn't you have the tarball
>> locally while working on preparing the upload?
>> And if someone doesn't have the orig.tar.gz locally, then why would
>> anyone want to get it from a random git repository, rather than fetching
>> it from the Debian archive or from upstream's release page?  What is the
>> use-case here that am I missing?
>
> Person A creates a package, person B wants to work on it; use cases:
> teams in general, and sponsoring within or outside of teams.
>
> As person B I don't want to go hunting for a tarball and place it in
> the right place, I want gbp to re-create it from the pristine-tar
> branch.

That's not terribly convincing for a project-wide default, as
maintaining the tarball costs human time and storage space, and any
failures in pristine-tar handling takes time to debug too.

As person B above, I would personally prefer to chase down the trusted
intended tarball from upstream than to trust a random git repository for
it.  So the workflow you describe is not universal.

Few people seems to PGP sign their pristine-tar commits.  There are no
PGP-signed git tags on pristine-tar branch.  So there is no trust or
integrity protection of the pristine-tar tarball content, beyond git
HTTPS/SSH protection.

It is not uncommon to find pristine-tar branches with *.orig.tar.gz but
the corresponding (and uploaded) *.orig.tar.gz.asc file is not included.

Interestingly, I preferred use of pristine-tar branches before this
thread, but unless some more convincing argument appears I have changed
my opinion.

/Simon


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread gregor herrmann
On Tue, 26 Nov 2024 20:49:44 +0100, Simon Josefsson wrote:

> If you haven't made an upload, then wouldn't you have the tarball
> locally while working on preparing the upload?
> And if someone doesn't have the orig.tar.gz locally, then why would
> anyone want to get it from a random git repository, rather than fetching
> it from the Debian archive or from upstream's release page?  What is the
> use-case here that am I missing?

Person A creates a package, person B wants to work on it; use cases:
teams in general, and sponsoring within or outside of teams.

As person B I don't want to go hunting for a tarball and place it in
the right place, I want gbp to re-create it from the pristine-tar
branch.
 

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   


signature.asc
Description: Digital Signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread Chris Hofstaedtler
* Colin Watson  [241126 23:34]:
> On Tue, Nov 26, 2024 at 09:25:12PM +0100, Simon Josefsson wrote:
> > Colin Watson  writes:
> > > CI for a new-upstream-release commit you've pushed but haven't uploaded
> > > to the Debian archive yet, because you're waiting for CI.
> > >
> > > pristine-tar certainly isn't the only way here (it's true that CI could
> > > in principle fetch it directly from upstream), but I find it much easier
> > > than the alternatives.
> > 
> > I often wait for CI before making an upload of a new upstream release,
> > even without pristine-tar, and Salsa CI hasn't had trouble automatically
> > finding a orig.tar.gz to work with for me.  So maybe there is some
> > additional assumption for your situation?
> 
> Maybe it runs uscan or something in that case;

It runs gbp export-orig (plus some fallbacks). If there is no
pristine-tar branch, gbp will use the upstream branch.

That won't be bit-identical to the upstream tarball.

So, without pristine-tar, salsa CI tests something that might not
work.

> Still, as long as it's building source packages as part of the
> process, conceptually I prefer it having all the information in the
> repository rather than having to go out to an upstream site that might
> be unreliable.

Yeah.

Chris



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread Otto Kekäläinen
Hi!

On Wed, 27 Nov 2024 at 00:47,  wrote:
>
> Hi Johannes,
>
> Le 2024-11-22 12:45, Johannes Schauer Marin Rodrigues a écrit :
> > That's what I'm doing. But that works with tarballs not with upstream
> > as git.
> > If upstream (deliberately, so this will not change) has DSFG-non-free
> > content
> > in it, then I should not copy that into a git packaging repo that is
> > targeting
> > main. Removing the problematic parts from the upstream git repos would
> > rewrite
> > their history, invalidate tags etc, so the result would not be very
> > useful
> > anymore. Thus, I usually have one directory on my PC with the upstream
> > git and
> > another with my Debian packaging git.
>
> For most projects but the larger ones, you could simply add an
> `upstream` remote to your local packaging repo. This makes it easier to
> diff or look/import specific upstream commits.
>
> For packaging I usually work with 3 remotes (and no `origin` to avoid
> mistakes):
> - debian (the team-managed packaging repo on salsa)
> - clone (my own clone of the packaging repo as I don't have update
> rights on team repos)
> - upstream, which is very convenient for their tags, history and cherry
> picking.

Note that is your package has the debian/upstream/metadata file, and
that file has field "Repository", you can simply run:

gbp clone vcsgit: --add-upstream-vcs

..and the resulting repo will automatically have salsa as 'origin' and
the real upstream as 'upstreamvcs':

± git remote -v
origin g...@salsa.debian.org:debian/entr.git (fetch)
origin g...@salsa.debian.org:debian/entr.git (push)
upstreamvcs https://github.com/eradman/entr (fetch)
upstreamvcs https://github.com/eradman/entr (push)

I recommend using 'upstreamvcs' as the upstream origin name to avoid
conflicts with tags and branches that start with 'upstream/*' (gbp
uses that name automatically).



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-27 Thread sre4ever

Hi Johannes,

Le 2024-11-22 12:45, Johannes Schauer Marin Rodrigues a écrit :
That's what I'm doing. But that works with tarballs not with upstream 
as git.
If upstream (deliberately, so this will not change) has DSFG-non-free 
content
in it, then I should not copy that into a git packaging repo that is 
targeting
main. Removing the problematic parts from the upstream git repos would 
rewrite
their history, invalidate tags etc, so the result would not be very 
useful
anymore. Thus, I usually have one directory on my PC with the upstream 
git and

another with my Debian packaging git.


For most projects but the larger ones, you could simply add an 
`upstream` remote to your local packaging repo. This makes it easier to 
diff or look/import specific upstream commits.


For packaging I usually work with 3 remotes (and no `origin` to avoid 
mistakes):

- debian (the team-managed packaging repo on salsa)
- clone (my own clone of the packaging repo as I don't have update 
rights on team repos)
- upstream, which is very convenient for their tags, history and cherry 
picking.


Cheers,

--
Julien Plissonneau Duquène



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Marco d'Itri
On Nov 27, Johannes Schauer Marin Rodrigues  wrote:

> If the upstream tarball is in the archive, it's probably okay to retrieve one
> from there.  It's not always trivial because now you need to have the right
> "deb-src" lines enabled in your apt sources.list but it's possible. But how do
It is trivial enough if I have deb-src configured, or else I spend 30 
seconds manually downloading the file.

> you collaborate with others on packages that were not uploaded to the desired
> suite yet? Do you not use git for collaboration until the package has passed
> NEW?
I am not sure why I would need a matching .orig.tar.xz for a package 
which is not in the archive, but in that case if anybody needed one then 
they could get it along with the binary packages from the temporary 
directory on my web site.
I do not think that you are making a great argument for pristine-tar if 
it boils down to such an infrequent use case.

-- 
ciao,
Marco


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Aaron Rainbolt
On Tue, Nov 26, 2024 at 10:31 PM Otto Kekäläinen  wrote:
>
> Hi,
>
> (replying in one email to various comments in past 24h)
>
> > How common debian/gbp.conf points at something else: perhaps gbp's
> > defaults are not good, if that many packages need to override them.
>
> First of all may I ask you to not use terms like 'not good' as it may
> come off negative towards the maintainer of that software. Guido has
> done an amazing job with git-buildpackage and we certainly want him to
> continue iterating on it.
>
> I also suggest you to participate in gbp development, as currently it
> is 95% Guido alone. At
> https://salsa.debian.org/agx/git-buildpackage/-/commits/master you can
> for example suggest changes to those defaults along with a migration
> path, or you can help with just improving the documentation so people
> more easily end up choosing the right options.
>
> Secondly, it is perfectly valid for evey single package to have a
> debian/gbp.conf and I would in fact prefer that. For every upstream we
> need to have metadata on:
> - do they have tarball releases (pristine-tar true/false)
> - do they have git tags and what is the format (upstream-vcs-tag)
> - are those git tags expected to be signed or not (upstream-signatures on/off)

I'm not really following this thread, but I sincerely hope you aren't
suggesting that every package in Debian have a gbp.conf file. (I don't
think you are on closer inspection, I think you mean that it's valid
for every package *that uses gbp* to have a config file.) I very
intentionally don't use it (it has its place, but for the packages I
work on it is overkill and greatly complicates my job as a developer
with very little payoff), and have no desire to use it. If it was to
be made mandatory for all packages, in all likelihood I would comply,
but I would not be happy.

This isn't to lambast gbp at all - like I said, it has its uses. It
just doesn't have uses for me, due to a mixture of my needs and my
preferences.

(Off-topic, but part of the reason I don't use gbp is the docs for how
to use it are just not enough to actually figure out what you're
doing. Just a documentation revamp or initial tutorial for it would be
awesome. Maybe if I ever relearn it I should help with that...)

--
Aaron

> If a package maintains stable releases or backports or Ubuntu
> versions, or if upstream has multiple lines of parallel major version
> releases each branch also needs a debian/gbp.conf to tell what are the
> correct settings for that branch.
>
> > > Until we record expected upstream tarball hashes in a debian/* file, an
> > > acceptable approach seems to be to skip the pristine-tar branch and be
> > > sure to download the previous orig.tar.* + orig.tar.*.asc from the
> > > Debian archive, instead of attempting to re-generate it from the
> > > upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible).
> >
> > This is 1). It cannot be done generically as it requires knowing
> > where to download from, etc.
> >
> > > I have never understood what value there is in duplicating the uploaded
> > > tarball in the git repository.  Recording a hash of it is sufficient.
> >
> > The hash is sufficient for knowing it changed, but you still have to
> > get the actual tarball from somewhere.
>
> Don't we have uscan in all packages? If would be nice if
> https://codesearch.debian.net/ supported searching just the existense
> of files so one could check this out quickly.
>
> The way most other Linux distros do this is that they have sha256 sums
> in the package definition, and a url where to download upstream
> tarball from. In Debian we have debian/watch for the latter, but no
> sha256sum to verify the exact version.
>
> We could, if we want, introduce for example a new file
> debian/source/origin which could automatically be updated by uscan to
> have the exact url and sha256sum and the maintainer just needs to
> commit it after running uscan to import the upstream sources.
>
> However it will take years to design and agree on a new file and have
> it in the policy and roll it out.
>
> The good thing with git-buildpackage is that we have it already,
> thousands of packages uses it, and it works well and is fully capable
> of producing the source files consumed by dpkg-buildpackage etc to
> build the package.
>
>
> > > > One possible rebuttal to this is "gbp needs to do the right thing then".
> > > > Currently gbp by default generates a broken tarball, which is also a
> > > > source of confusion for many.
> > >
> > > Do you have a bug report number?
> >
> > No.
> > I've found #902249 which is titled "Pull tarballs from the archive (or
> > upstream location)", maybe that's the one you think about. I haven't read
> > it, except for the "I hoped we could stay out of that business in 2018 but
> > since tarballs are still _the_ _thing_ in Debian" line, which I liked.
> >
> > For the avoidance of doubt, I don't think gbp *can* do the right thing
> > there. It's not my rebuttal. Maybe 

Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Otto Kekäläinen
Hi,

(replying in one email to various comments in past 24h)

> How common debian/gbp.conf points at something else: perhaps gbp's
> defaults are not good, if that many packages need to override them.

First of all may I ask you to not use terms like 'not good' as it may
come off negative towards the maintainer of that software. Guido has
done an amazing job with git-buildpackage and we certainly want him to
continue iterating on it.

I also suggest you to participate in gbp development, as currently it
is 95% Guido alone. At
https://salsa.debian.org/agx/git-buildpackage/-/commits/master you can
for example suggest changes to those defaults along with a migration
path, or you can help with just improving the documentation so people
more easily end up choosing the right options.

Secondly, it is perfectly valid for evey single package to have a
debian/gbp.conf and I would in fact prefer that. For every upstream we
need to have metadata on:
- do they have tarball releases (pristine-tar true/false)
- do they have git tags and what is the format (upstream-vcs-tag)
- are those git tags expected to be signed or not (upstream-signatures on/off)

If a package maintains stable releases or backports or Ubuntu
versions, or if upstream has multiple lines of parallel major version
releases each branch also needs a debian/gbp.conf to tell what are the
correct settings for that branch.

> > Until we record expected upstream tarball hashes in a debian/* file, an
> > acceptable approach seems to be to skip the pristine-tar branch and be
> > sure to download the previous orig.tar.* + orig.tar.*.asc from the
> > Debian archive, instead of attempting to re-generate it from the
> > upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible).
>
> This is 1). It cannot be done generically as it requires knowing
> where to download from, etc.
>
> > I have never understood what value there is in duplicating the uploaded
> > tarball in the git repository.  Recording a hash of it is sufficient.
>
> The hash is sufficient for knowing it changed, but you still have to
> get the actual tarball from somewhere.

Don't we have uscan in all packages? If would be nice if
https://codesearch.debian.net/ supported searching just the existense
of files so one could check this out quickly.

The way most other Linux distros do this is that they have sha256 sums
in the package definition, and a url where to download upstream
tarball from. In Debian we have debian/watch for the latter, but no
sha256sum to verify the exact version.

We could, if we want, introduce for example a new file
debian/source/origin which could automatically be updated by uscan to
have the exact url and sha256sum and the maintainer just needs to
commit it after running uscan to import the upstream sources.

However it will take years to design and agree on a new file and have
it in the policy and roll it out.

The good thing with git-buildpackage is that we have it already,
thousands of packages uses it, and it works well and is fully capable
of producing the source files consumed by dpkg-buildpackage etc to
build the package.


> > > One possible rebuttal to this is "gbp needs to do the right thing then".
> > > Currently gbp by default generates a broken tarball, which is also a
> > > source of confusion for many.
> >
> > Do you have a bug report number?
>
> No.
> I've found #902249 which is titled "Pull tarballs from the archive (or
> upstream location)", maybe that's the one you think about. I haven't read
> it, except for the "I hoped we could stay out of that business in 2018 but
> since tarballs are still _the_ _thing_ in Debian" line, which I liked.
>
> For the avoidance of doubt, I don't think gbp *can* do the right thing
> there. It's not my rebuttal. Maybe gbp should just refuse to generate a
> random tarball from a commit-ish and let^Wrequire people to provide one or
> provide a way to generate one in a correct way.

I often hear this complaint about pristine-tar, but I don't take it
seriously until somebody actually files a bug report and has a
reproducible case. For every single package I maintain I use
pristine-tar and it works correctly.

Personally I try to leverage upstream signatures both for tarballs and
git tags as always when available, and for tarballs it requires
pristine-tar, so I would not stop using pristine-tar as long as it
works.



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Johannes Schauer Marin Rodrigues
Quoting Marco d'Itri (2024-11-26 23:34:24)
> On Nov 26, Jonathan Dowland  wrote:
> > On Tue Nov 26, 2024 at 10:50 AM GMT, Andrey Rakhmatullin wrote:
> > > Yes, as they don't enable pristine-tar
> > Is pristine-tar still valuable these days?
> Not really. The debian branches of all of my packages[1] are based off 
> the upstream git repository, which is what I also use to review new 
> upstream releases and generate the .orig.tar.xz file for the archive.
> I could not care less if that file is not bit per bit identical to the 
> upstream one (the git trees have signatures), or even if it does not 
> contain the same files (this is usually better, so I do not need to carry
> around files which we like to rebuild anyway).

If the upstream tarball is in the archive, it's probably okay to retrieve one
from there.  It's not always trivial because now you need to have the right
"deb-src" lines enabled in your apt sources.list but it's possible. But how do
you collaborate with others on packages that were not uploaded to the desired
suite yet? Do you not use git for collaboration until the package has passed
NEW?

Thanks!

cheers, josch

signature.asc
Description: signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Marco d'Itri
On Nov 26, Jonathan Dowland  wrote:

> On Tue Nov 26, 2024 at 10:50 AM GMT, Andrey Rakhmatullin wrote:
> > Yes, as they don't enable pristine-tar
> Is pristine-tar still valuable these days?
Not really. The debian branches of all of my packages[1] are based off 
the upstream git repository, which is what I also use to review new 
upstream releases and generate the .orig.tar.xz file for the archive.
I could not care less if that file is not bit per bit identical to the 
upstream one (the git trees have signatures), or even if it does not 
contain the same files (this is usually better, so I do not need to 
carry around files which we like to rebuild anyway).

Actually I use gbp.conf to make sure that pristine-tar is disabled.

[1] except than the openbsd-derived ones, because CVS.

-- 
ciao,
Marco


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Colin Watson
On Tue, Nov 26, 2024 at 09:25:12PM +0100, Simon Josefsson wrote:
> Colin Watson  writes:
> > CI for a new-upstream-release commit you've pushed but haven't uploaded
> > to the Debian archive yet, because you're waiting for CI.
> >
> > pristine-tar certainly isn't the only way here (it's true that CI could
> > in principle fetch it directly from upstream), but I find it much easier
> > than the alternatives.
> 
> I often wait for CI before making an upload of a new upstream release,
> even without pristine-tar, and Salsa CI hasn't had trouble automatically
> finding a orig.tar.gz to work with for me.  So maybe there is some
> additional assumption for your situation?

Maybe it runs uscan or something in that case; I confess I haven't
checked.  Still, as long as it's building source packages as part of the
process, conceptually I prefer it having all the information in the
repository rather than having to go out to an upstream site that might
be unreliable.

-- 
Colin Watson (he/him)  [cjwat...@debian.org]



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Simon Josefsson
Colin Watson  writes:

> On Tue, Nov 26, 2024 at 08:49:44PM +0100, Simon Josefsson wrote:
>> If you haven't made an upload, then wouldn't you have the tarball
>> locally while working on preparing the upload?
>> 
>> And if someone doesn't have the orig.tar.gz locally, then why would
>> anyone want to get it from a random git repository, rather than fetching
>> it from the Debian archive or from upstream's release page?  What is the
>> use-case here that am I missing?
>
> CI for a new-upstream-release commit you've pushed but haven't uploaded
> to the Debian archive yet, because you're waiting for CI.
>
> pristine-tar certainly isn't the only way here (it's true that CI could
> in principle fetch it directly from upstream), but I find it much easier
> than the alternatives.

I often wait for CI before making an upload of a new upstream release,
even without pristine-tar, and Salsa CI hasn't had trouble automatically
finding a orig.tar.gz to work with for me.  So maybe there is some
additional assumption for your situation?

/Simon


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Colin Watson
On Tue, Nov 26, 2024 at 08:49:44PM +0100, Simon Josefsson wrote:
> If you haven't made an upload, then wouldn't you have the tarball
> locally while working on preparing the upload?
> 
> And if someone doesn't have the orig.tar.gz locally, then why would
> anyone want to get it from a random git repository, rather than fetching
> it from the Debian archive or from upstream's release page?  What is the
> use-case here that am I missing?

CI for a new-upstream-release commit you've pushed but haven't uploaded
to the Debian archive yet, because you're waiting for CI.

pristine-tar certainly isn't the only way here (it's true that CI could
in principle fetch it directly from upstream), but I find it much easier
than the alternatives.

-- 
Colin Watson (he/him)  [cjwat...@debian.org]



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Simon Josefsson
Andrey Rakhmatullin  writes:

> On Tue, Nov 26, 2024 at 06:54:18PM +0100, Chris Hofstaedtler wrote:
>> > >> > Yes, as they don't enable pristine-tar
>> > >> 
>> > >> Is pristine-tar still valuable these days?
>> > >
>> > > Unfortunately yes. AFAIK the two options for fixing this that are
>> > > usually proposed are:
>> > >
>> > > 1) treat it as a problem of each individual developer, just like
>> > > pristine-tar. Instead of pristine-tar, invent new tooling to manage
>> > > tarballs.
>> > > This path often tries to solve the problem only for Debian and only
>> > > in a narrow scenario.
>> > >
>> > > 2) Have all uploads always supply a new orig.tar.gz. This could mean
>> > > either treating every package as Debian-native, or some other
>> > > solution.
>> > > This is a global solution and reduces complexity instead of adding
>> > > to it.
>> > 
>> > Until we record expected upstream tarball hashes in a debian/* file, an
>> > acceptable approach seems to be to skip the pristine-tar branch and be
>> > sure to download the previous orig.tar.* + orig.tar.*.asc from the
>> > Debian archive, instead of attempting to re-generate it from the
>> > upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible).
>> 
>> This is 1). It cannot be done generically as it requires knowing
>> where to download from, etc.
>
> The archive, when the tarball is already there.
>
> These suggestions never discuss what to do when the tarball was never
> uploaded yet, even I didn't discuss that for simplicity. It makes sense
> from some PoVs, at least when one doesn't use pristine-tar to make a
> tarball that has differences in the actual content, not just bit
> differences in the tarball itself while have identical file contents.

If you haven't made an upload, then wouldn't you have the tarball
locally while working on preparing the upload?

And if someone doesn't have the orig.tar.gz locally, then why would
anyone want to get it from a random git repository, rather than fetching
it from the Debian archive or from upstream's release page?  What is the
use-case here that am I missing?

I've always preferred to work with a pristine-tar branch myself, but I'm
having trouble coming up with a strong motivation for its existance, so
maybe backing down from that preference is a way forward.

/Simon


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Andrey Rakhmatullin
On Tue, Nov 26, 2024 at 06:53:01PM +0100, Mechtilde Stehmann wrote:
> > One possible rebuttal to this is "gbp needs to do the right thing then".
> > Currently gbp by default generates a broken tarball, which is also a
> > source of confusion for many.
> 
> Do you have a bug report number?

No.
I've found #902249 which is titled "Pull tarballs from the archive (or
upstream location)", maybe that's the one you think about. I haven't read
it, except for the "I hoped we could stay out of that business in 2018 but
since tarballs are still _the_ _thing_ in Debian" line, which I liked.

For the avoidance of doubt, I don't think gbp *can* do the right thing
there. It's not my rebuttal. Maybe gbp should just refuse to generate a
random tarball from a commit-ish and let^Wrequire people to provide one or
provide a way to generate one in a correct way.

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Andrey Rakhmatullin
On Tue, Nov 26, 2024 at 06:54:18PM +0100, Chris Hofstaedtler wrote:
> > >> > Yes, as they don't enable pristine-tar
> > >> 
> > >> Is pristine-tar still valuable these days?
> > >
> > > Unfortunately yes. AFAIK the two options for fixing this that are
> > > usually proposed are:
> > >
> > > 1) treat it as a problem of each individual developer, just like
> > > pristine-tar. Instead of pristine-tar, invent new tooling to manage
> > > tarballs.
> > > This path often tries to solve the problem only for Debian and only
> > > in a narrow scenario.
> > >
> > > 2) Have all uploads always supply a new orig.tar.gz. This could mean
> > > either treating every package as Debian-native, or some other
> > > solution.
> > > This is a global solution and reduces complexity instead of adding
> > > to it.
> > 
> > Until we record expected upstream tarball hashes in a debian/* file, an
> > acceptable approach seems to be to skip the pristine-tar branch and be
> > sure to download the previous orig.tar.* + orig.tar.*.asc from the
> > Debian archive, instead of attempting to re-generate it from the
> > upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible).
> 
> This is 1). It cannot be done generically as it requires knowing
> where to download from, etc.

The archive, when the tarball is already there.

These suggestions never discuss what to do when the tarball was never
uploaded yet, even I didn't discuss that for simplicity. It makes sense
from some PoVs, at least when one doesn't use pristine-tar to make a
tarball that has differences in the actual content, not just bit
differences in the tarball itself while have identical file contents.

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Chris Hofstaedtler
* Simon Josefsson  [241126 16:27]:
> Chris Hofstaedtler  writes:
> 
> > * Jonathan Dowland  [241126 12:59]:
> >> On Tue Nov 26, 2024 at 10:50 AM GMT, Andrey Rakhmatullin wrote:
> >> > Yes, as they don't enable pristine-tar
> >> 
> >> Is pristine-tar still valuable these days?
> >
> > Unfortunately yes. AFAIK the two options for fixing this that are
> > usually proposed are:
> >
> > 1) treat it as a problem of each individual developer, just like
> > pristine-tar. Instead of pristine-tar, invent new tooling to manage
> > tarballs.
> > This path often tries to solve the problem only for Debian and only
> > in a narrow scenario.
> >
> > 2) Have all uploads always supply a new orig.tar.gz. This could mean
> > either treating every package as Debian-native, or some other
> > solution.
> > This is a global solution and reduces complexity instead of adding
> > to it.
> 
> Until we record expected upstream tarball hashes in a debian/* file, an
> acceptable approach seems to be to skip the pristine-tar branch and be
> sure to download the previous orig.tar.* + orig.tar.*.asc from the
> Debian archive, instead of attempting to re-generate it from the
> upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible).

This is 1). It cannot be done generically as it requires knowing
where to download from, etc.

> I have never understood what value there is in duplicating the uploaded
> tarball in the git repository.  Recording a hash of it is sufficient.

The hash is sufficient for knowing it changed, but you still have to
get the actual tarball from somewhere.

Chris



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Mechtilde Stehmann

Hello Andrey,

Am 26.11.24 um 17:44 schrieb Andrey Rakhmatullin:

On Tue, Nov 26, 2024 at 04:27:37PM +0100, Simon Josefsson wrote:

One possible rebuttal to this is "gbp needs to do the right thing then".
Currently gbp by default generates a broken tarball, which is also a
source of confusion for many.


Do you have a bug report number?




--
Mechtilde Stehmann
## Debian Developer
## PGP encryption welcome
## F0E3 7F3D C87A 4998 2899  39E7 F287 7BBA 141A AD7F



OpenPGP_signature.asc
Description: OpenPGP digital signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Holger Levsen
On Tue, Nov 26, 2024 at 09:44:31PM +0500, Andrey Rakhmatullin wrote:
> Currently gbp by default generates a broken tarball, which is also a
> source of confusion for many.

I'd dare to even call this a bug.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Hope isn't a plan, but it's a hell of a drug.


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Andrey Rakhmatullin
On Tue, Nov 26, 2024 at 04:27:37PM +0100, Simon Josefsson wrote:
> >> > Yes, as they don't enable pristine-tar
> >> 
> >> Is pristine-tar still valuable these days?
> >
> > Unfortunately yes. AFAIK the two options for fixing this that are
> > usually proposed are:
> >
> > 1) treat it as a problem of each individual developer, just like
> > pristine-tar. Instead of pristine-tar, invent new tooling to manage
> > tarballs.
> > This path often tries to solve the problem only for Debian and only
> > in a narrow scenario.
> >
> > 2) Have all uploads always supply a new orig.tar.gz. This could mean
> > either treating every package as Debian-native, or some other
> > solution.
> > This is a global solution and reduces complexity instead of adding
> > to it.
> 
> Until we record expected upstream tarball hashes in a debian/* file, an
> acceptable approach seems to be to skip the pristine-tar branch and be
> sure to download the previous orig.tar.* + orig.tar.*.asc from the
> Debian archive, instead of attempting to re-generate it from the
> upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible).
> 
> I have never understood what value there is in duplicating the uploaded
> tarball in the git repository.  Recording a hash of it is sufficient.
> But I'm also happy to work with pristine-tar branches when that is the
> workflow for a particular package.  I just wish the tooling handled
> *.asc files better, and stored them too automatically.

One possible rebuttal to this is "gbp needs to do the right thing then".
Currently gbp by default generates a broken tarball, which is also a
source of confusion for many.

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Simon Josefsson
Chris Hofstaedtler  writes:

> * Jonathan Dowland  [241126 12:59]:
>> On Tue Nov 26, 2024 at 10:50 AM GMT, Andrey Rakhmatullin wrote:
>> > Yes, as they don't enable pristine-tar
>> 
>> Is pristine-tar still valuable these days?
>
> Unfortunately yes. AFAIK the two options for fixing this that are
> usually proposed are:
>
> 1) treat it as a problem of each individual developer, just like
> pristine-tar. Instead of pristine-tar, invent new tooling to manage
> tarballs.
> This path often tries to solve the problem only for Debian and only
> in a narrow scenario.
>
> 2) Have all uploads always supply a new orig.tar.gz. This could mean
> either treating every package as Debian-native, or some other
> solution.
> This is a global solution and reduces complexity instead of adding
> to it.

Until we record expected upstream tarball hashes in a debian/* file, an
acceptable approach seems to be to skip the pristine-tar branch and be
sure to download the previous orig.tar.* + orig.tar.*.asc from the
Debian archive, instead of attempting to re-generate it from the
upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible).

I have never understood what value there is in duplicating the uploaded
tarball in the git repository.  Recording a hash of it is sufficient.
But I'm also happy to work with pristine-tar branches when that is the
workflow for a particular package.  I just wish the tooling handled
*.asc files better, and stored them too automatically.

/Simon


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Andrey Rakhmatullin
On Tue, Nov 26, 2024 at 11:59:26AM +, Jonathan Dowland wrote:
> > Yes, as they don't enable pristine-tar
> 
> Is pristine-tar still valuable these days?

Extremely, unless your workflow requires using something else to get the
upstream tarball from the archive (among other less important
requirements). Though many people don't use d/gbp.conf for this, with
predictable results when someone else than those people tries to build
the repo.

> > and cannot guess your branch naming system.
> 
> I haven't checked, but in an ideal world gbp would default to the same
> values for these as described in DEP-14.  In that same ideal world, we'd
> have DEP-14 out of Draft status.

Yes, and all the teams would use it in that ideal world. There is a bug
reported against gbp for the first of these points AFAIK.
That would be a backwards incompatible change though I guess.

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Chris Hofstaedtler
* Jonathan Dowland  [241126 12:59]:
> On Tue Nov 26, 2024 at 10:50 AM GMT, Andrey Rakhmatullin wrote:
> > Yes, as they don't enable pristine-tar
> 
> Is pristine-tar still valuable these days?

Unfortunately yes. AFAIK the two options for fixing this that are
usually proposed are:

1) treat it as a problem of each individual developer, just like
pristine-tar. Instead of pristine-tar, invent new tooling to manage
tarballs.
This path often tries to solve the problem only for Debian and only
in a narrow scenario.

2) Have all uploads always supply a new orig.tar.gz. This could mean
either treating every package as Debian-native, or some other
solution.
This is a global solution and reduces complexity instead of adding
to it.

> > and cannot guess your branch naming system.
> 
> I haven't checked, but in an ideal world gbp would default to the same
> values for these as described in DEP-14.  In that same ideal world, we'd
> have DEP-14 out of Draft status.

IIRC gbp has an open bug for that in the state of "please send
patches that do not break backwards compat".
DEP14 also IMO needs to make a call on the layout, and not leave
options, for any tooling to support it.

Chris



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Jonathan Dowland

On Tue Nov 26, 2024 at 10:50 AM GMT, Andrey Rakhmatullin wrote:

Yes, as they don't enable pristine-tar


Is pristine-tar still valuable these days?


and cannot guess your branch naming system.


I haven't checked, but in an ideal world gbp would default to the same
values for these as described in DEP-14.  In that same ideal world, we'd
have DEP-14 out of Draft status.

--
Please do not CC me for listmail.

👱🏻  Jonathan Dowland
✎j...@debian.org
🔗   https://jmtd.net



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Andrey Rakhmatullin
On Tue, Nov 26, 2024 at 08:51:43AM +, Jonathan Dowland wrote:
> How common debian/gbp.conf points at something else: perhaps gbp's defaults
> are not good, if that many packages need to override them.

Yes, as they don't enable pristine-tar and cannot guess your branch naming
system.

-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Jonathan Dowland

On Fri Nov 22, 2024 at 11:29 AM GMT, Simon Josefsson wrote:

I thought about the gbp aspect of the lets-move-things-to-salsa and I
suggest to consider if they are better left orthogonal.  Could you make
one DEP for lets-move-to-salsa and one DEP for
lets-document-a-build-workflow?


I haven't read Otto's rewrite of DEP-18 yet, but that was my feeling 
from the first iteration: it's a really grand project trying to do lots 
at once. I'd like to see some progress in this space and I think the 
chance of success is much better with smaller, more targeted proposals, 
that can pass muster and be adopted in series.


--

Please do not CC me for listmail.

👱🏻  Jonathan Dowland
✎j...@debian.org
🔗   https://jmtd.net



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-26 Thread Jonathan Dowland

On Thu Nov 21, 2024 at 4:10 AM GMT, Otto Kekäläinen wrote:

There is a debian/gbp.conf in 13573 packages in Debian


This is an interesting proxy measure for the prevalence of gbp usage. It 
probably undercounts: I sometimes use gbp but I've only got this file in 
one of my sources (one I recently inherited from others).


How common debian/gbp.conf points at something else: perhaps gbp's 
defaults are not good, if that many packages need to override them.


--
Please do not CC me for listmail.

👱🏻  Jonathan Dowland
✎j...@debian.org
🔗   https://jmtd.net



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-22 Thread Johannes Schauer Marin Rodrigues
Hi,

Quoting Otto Kekäläinen (2024-11-23 00:09:41)
> You can have upstream git and tarballs at the same time, and even have DFSG
> cleanup take place and git show you exactly the differences of all the
> versions.

I'm interested in the DFSG cleanup. How can this be done while having an
upstream git repo that ships these files? Your example of src:entr does not
seem to have any Files-Excluded.

> If you look at
> https://salsa.debian.org/debian/entr/-/network/debian%2Flatest?extended_sha1=debian%2Flatest&filter_ref=1
> (or better, gbp clone it locally to more easily browse it with `gitk --all`)
> you can see how the upstream release git tag "5.6" was merged on branch
> 'upstream/latest' which is the target of tarball imports, and that was then
> merged on the 'debian/latest' branch. Commands how to do this are in
> https://salsa.debian.org/debian/entr/-/blob/debian/latest/debian/README.source.md

This is a really good write-up. Can we have this in a more prominent place than
in a README.source of some "random" package?

> and the
> https://salsa.debian.org/debian/entr/-/blob/debian/latest/debian/gbp.conf has
> the configs so git-buildpackage can be used without the need to constantly
> pass it information about upstream git tag format etc.

That gbp.conf touches 15 settings. Can gbp not do the right thing by default?

> For dfsg-filtering the watchfile options only apply for uscan/tarball. To
> ensure the upstream/latest branch stays dfsg-clean on git merges, configure
> 'filter' in debian/gbp.conf.

You mean in [import-orig]? Will this need to duplicate the entries that already
exist in Files-Excluded?

> Which package do you have DFSG tarballs? I can take a look and help you
> convert it into something where the import is as automatic as possible.

The import is automatic. I just run "uscan --verbose" and then "gbp import
orig" and uscan will take care of using Files-Excluded to clean up the tarball.

Thanks!

cheers, josch

signature.asc
Description: signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-22 Thread Otto Kekäläinen
Hi!

> > I am contemplating if I should also make videos on Debian packaging best
> > practices, or have start a new Matrix channel specifically to help
> > maintainers setup their git repositories correctly and find the optimal
> > git-buildpackage commands for each thing they want to do.
>
> I'd describe myself of being in the camp of "I don't care about the
commands, i
> don't care how my git branches are named, just document one thing so that
my
> packages can do the same thing that most other packages do". For that
reason I
> so far created new package repos with "gbp import-dsc" and used all the
> defaults that come with that. I don't think I care much for what these
defaults
> are at least I didn't see myself reading past discussions about this and
> thinking "no don't name this branch debian/latest instead of
debian/foo" or
> something. I like to read of other people's workflows but then I often do
not
> see how their workflows can possibly fit my packages. There seem to be
many
> people who have the upstream git as part of their packaging git. I'm
happy that
> works for them but I don't see how I can leave my tarball-centered
workflows
> (even though all my upstream work in git) if all my upstreams ship DFSG
> non-free material which I have to remove from their tarballs first.

You can have upstream git and tarballs at the same time, and even have DFSG
cleanup take place and git show you exactly the differences of all the
versions.

If you look at
https://salsa.debian.org/debian/entr/-/network/debian%2Flatest?extended_sha1=debian%2Flatest&filter_ref=1
(or better, gbp clone it locally to more easily browse it with `gitk
--all`) you can see how the upstream release git tag "5.6" was merged on
branch 'upstream/latest' which is the target of tarball imports, and that
was then merged on the 'debian/latest' branch. Commands how to do this are
in
https://salsa.debian.org/debian/entr/-/blob/debian/latest/debian/README.source.md
and the
https://salsa.debian.org/debian/entr/-/blob/debian/latest/debian/gbp.conf
has the configs so git-buildpackage can be used without the need to
constantly pass it information about upstream git tag format etc.

For dfsg-filtering the watchfile options only apply for uscan/tarball. To
ensure the upstream/latest branch stays dfsg-clean on git merges, configure
'filter' in debian/gbp.conf.


Which package do you have DFSG tarballs? I can take a look and help you
convert it into something where the import is as automatic as possible.


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-22 Thread Johannes Schauer Marin Rodrigues
Quoting Simon Josefsson (2024-11-22 12:54:02)
> Doesn't 'gbp import-orig --uscan' work if you have a watch-file like this:
> 
> version=4
> opts="mode=git, pgpmode=none,\
>   dversionmangle=s/\+ds\d*$//,repacksuffix=+ds" \
>   https://github.com/withfig/autocomplete-tools.git \
>   HEAD debian

but this uses mode=git. The documentation in uscan(1) very clearly says about
the git mode:

> If the upstream publishes the released tarball via its web interface, please
> use it instead of using this mode. This mode is the last resort method.

Or maybe this part of the documentation is just not accurate anymore and things
have changed?

> Also is there a problem to mirror upstream's non-DFSG content on Salsa?
> 
> The important aspect seems to be that *.orig.tar.* and debian/* uploaded
> into the archive shouldn't contain non-DFSG stuff if it targets main.  I
> thought Salsa can be used to maintain contrib/non-free/non-free-firmware
> projects too, so I assume there is no restriction that Salsa git repositories
> may only contain DFSG-content.

Should our users (and that includes people who want to change the source) use
the orig.tar and dsc for their development or should they not use the packaging
git instead if they want to make changes or contribute? If they use the latter,
should what they are using there not adhere to the principles of the DFSG? If I
run "apt-get source tinyusb" then it correctly suggests:

> NOTICE: 'tinyusb' packaging is maintained in the 'Git' version control system 
> at:
> https://salsa.debian.org/debian/tinyusb.git
> Please use:
> git clone https://salsa.debian.org/debian/tinyusb.git
> to retrieve the latest (possibly unreleased) updates to the package.

I don't think it would be nice if retrieving that git repo (and all the
branches needed for working with the package) would require downloading
non-free content even though tinyusb is in main. I don't think this is written
down anywhere, so maybe I'm just making life harder for myself and maybe
instead I should not feel so bad about using salsa as a hosting platform for
non-free content and then distributing that non-free content to users who want
to hack on Debian "main"?

Thanks!

cheers, josch

signature.asc
Description: signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-22 Thread Simon Josefsson
Johannes Schauer Marin Rodrigues  writes:

> Quoting Simon Josefsson (2024-11-22 12:18:36)
>> > I like to read of other people's workflows but then I often do not see how
>> > their workflows can possibly fit my packages. There seem to be many people
>> > who have the upstream git as part of their packaging git. I'm happy that
>> > works for them but I don't see how I can leave my tarball-centered
>> > workflows (even though all my upstream work in git) if all my upstreams
>> > ship DFSG non-free material which I have to remove from their tarballs
>> > first.
>> This works fairly well these days: use Files-Excluded: in d/copyright and
>> "dversionmangle=s/\+ds\d*$//,repacksuffix=+ds" in d/watch.  Tools like gbp,
>> uscan, origtargz seems to do the right thing automatically.
>
> That's what I'm doing. But that works with tarballs not with upstream
> as git.  If upstream (deliberately, so this will not change) has
> DSFG-non-free content in it, then I should not copy that into a git
> packaging repo that is targeting main. Removing the problematic parts
> from the upstream git repos would rewrite their history, invalidate
> tags etc, so the result would not be very useful anymore. Thus, I
> usually have one directory on my PC with the upstream git and another
> with my Debian packaging git. The packaging git does not have the
> upstream git with non-free content int it. Instead my packaging git
> regularly imports new upstream releases as tarballs and removes the
> non-free content via Files-Excluded and dversionmangle/repacksuffix in
> d/watch. I don't see how I can get rid of the tarballs here but
> instead embrace the (non-free) upstream git. Maybe I'm missing
> something?

Doesn't 'gbp import-orig --uscan' work if you have a watch-file like
this:

version=4
opts="mode=git, pgpmode=none,\
  dversionmangle=s/\+ds\d*$//,repacksuffix=+ds" \
  https://github.com/withfig/autocomplete-tools.git \
  HEAD debian

Also is there a problem to mirror upstream's non-DFSG content on Salsa?

The important aspect seems to be that *.orig.tar.* and debian/* uploaded
into the archive shouldn't contain non-DFSG stuff if it targets main.  I
thought Salsa can be used to maintain contrib/non-free/non-free-firmware
projects too, so I assume there is no restriction that Salsa git
repositories may only contain DFSG-content.

/Simon


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-22 Thread Johannes Schauer Marin Rodrigues
Quoting Simon Josefsson (2024-11-22 12:18:36)
> > I like to read of other people's workflows but then I often do not see how
> > their workflows can possibly fit my packages. There seem to be many people
> > who have the upstream git as part of their packaging git. I'm happy that
> > works for them but I don't see how I can leave my tarball-centered
> > workflows (even though all my upstream work in git) if all my upstreams
> > ship DFSG non-free material which I have to remove from their tarballs
> > first.
> This works fairly well these days: use Files-Excluded: in d/copyright and
> "dversionmangle=s/\+ds\d*$//,repacksuffix=+ds" in d/watch.  Tools like gbp,
> uscan, origtargz seems to do the right thing automatically.

That's what I'm doing. But that works with tarballs not with upstream as git.
If upstream (deliberately, so this will not change) has DSFG-non-free content
in it, then I should not copy that into a git packaging repo that is targeting
main. Removing the problematic parts from the upstream git repos would rewrite
their history, invalidate tags etc, so the result would not be very useful
anymore. Thus, I usually have one directory on my PC with the upstream git and
another with my Debian packaging git. The packaging git does not have the
upstream git with non-free content int it. Instead my packaging git regularly
imports new upstream releases as tarballs and removes the non-free content via
Files-Excluded and dversionmangle/repacksuffix in d/watch. I don't see how I
can get rid of the tarballs here but instead embrace the (non-free) upstream
git. Maybe I'm missing something?

Thanks!

cheers, josch

signature.asc
Description: signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-22 Thread Simon Josefsson
Otto Kekäläinen  writes:

>> in addition to the above: gbp is great if it works, if it doesn't I can
>> start to learn to debug a complex system, while on the contrary, if I use
>> git and debuild/pbuilder/sbuild manually all the time, I know those tools,
>> they are rather easy to debug etc.
>
> Personally I think gbp is very easy to debug. You just add --verbose
> to any command and it will print out what it is doing. Example:
>
> ± gbp import-orig --uscan --verbose
...

I thought about the gbp aspect of the lets-move-things-to-salsa and I
suggest to consider if they are better left orthogonal.  Could you make
one DEP for lets-move-to-salsa and one DEP for
lets-document-a-build-workflow?  The former would not talk a bout local
builds at all.  The latter would not talk about the Salsa workflow at
all.  They both intersect on git branch naming, and maybe some other
minor aspects, but don't we have that already in DEP 14?

Compare making packaging contributions to Debian to packaging
contributions to Homebrew, Alpine, OpenWRT, ArchLinux, Guix, etc.  There
is a possibility to reach a completely git-based Salsa workflow for
Debian packages that doesn't involve any local builds on people's
laptops at all.  This is comparable to Homebrew contributions, I find
them a joy to work with in comparison and can contribute even without
having any Homebrew development environment setup, or even without
physical access to a Mac.  There is no reason Debian packaging
contributions couldn't work like that.  Yes, old timers will continue
build stuff on their laptop, and that has to be fine.  We need to
resolve how to authenticate archive uploads chaining back to a DD
instead of PGP on tarball, but that is doable.

/Simon


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-22 Thread Simon Josefsson
Johannes Schauer Marin Rodrigues  writes:

> I like to read of other people's workflows but then I often do not see
> how their workflows can possibly fit my packages. There seem to be
> many people who have the upstream git as part of their packaging
> git. I'm happy that works for them but I don't see how I can leave my
> tarball-centered workflows (even though all my upstream work in git)
> if all my upstreams ship DFSG non-free material which I have to remove
> from their tarballs first.

This works fairly well these days: use Files-Excluded: in d/copyright
and "dversionmangle=s/\+ds\d*$//,repacksuffix=+ds" in d/watch.  Tools
like gbp, uscan, origtargz seems to do the right thing automatically.

> So given all this, the point I wanted to make was: I'd like to watch your
> videos if you make them. But at least for me you do not have to go through the
> trouble of shooting videos. Just some HTML docs would be just fine for me.
> Currently, I'm missing a long-term maintained document which explains "the"
> (haha) recommended Debian git workflow through the lifetime of a package from
> its initial creation to backports or stable updates.

Yes please!  There are so many details (library transitions?  non-dfsg
files?  experimental->sid migration?  go reverse-rebuilds?  etc) that
are not well documented.  I have my own big README with various workflow
commands but I deal with packages following perhaps 10+ different styles
today, and I try to respect the traditional style used in a package.

/Simon


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-21 Thread Blair Noctis
On 18/11/2024 18:16, Kari Pahula wrote:
> I'm thinking that it's the merging of debian and upstream branches and
> maintaining it that really causes the warts in gbp and I'm not at all
> sure if there are any actual workflows that require having that.
> "upstreamless" as I described it may be a bit too much for general use
> but could there be a case for doing everything with a mergeless model
> instead?  

Could we turn the current packaging format:

foo-1.2.3/ -> upstream source
  src/
  ...
  debian/ -> Debian inserted things

where debian/ must reside *inside* the upstream source; inside out:

foo-1.2.3-debian/
  ... Debian things
  upstream/ -> upstream source
src/
...

where "upstream source" could be extracted from a tarball, a cloned Git 
repository checked out at a specified commit, a Git submodule, etc. as the 
maintainer pleases. However it's produced, it is now a "guest" of the packaging 
(which now becomes the "host"), allowing the host to do more, unlike the 
current way around, where the packaging is the guest and pretty limited.

So we no longer have the problem of "merging of debian and upstream branches"?

But as wRAR stated in their other email (though not directly related):

> Yes, changing Debian so that the required workflows are more simple is
> much better but also impossible.

This whimsical "4.0 (inside-out)" format is only for your entertainment. :>

-- 
Sdrager,
Blair Noctis



OpenPGP_signature.asc
Description: OpenPGP digital signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-21 Thread Otto Kekäläinen
Hi,

> > and you seem to think adding another Debian specific complex tool will
> > attrack new people? Most people^wcontributors out there know git already,
> > for them a simple git only workflow is *much* more inviting than having
> > to learn gbp *only* to contribute to Debian.
>
> This. Exactly this.
>
> This is the reason I can contribute small improvements to Alpine and
> other projects with reasonable effort for small improvements. The
> tools are the same tools I already use elsewhere, and stuff is as
> transparent as it needs to be for outside contributors.
>
> Time to get build people where they are, and not where we are.

As Andrey wrote, sure this would be better, but also impossible.

How .dsc/.deb/.orig.tar.gz and occasional modified .tar.gz work in
Debian is fundamentally very different from how in e.g. Alpine a
single APKBUILD defines a the upstream source a just an URL and a
sha512 to verify the download was correct. Maybe one day in the future
we change the Debian source format to not have upstream tarball
bundled, but that is a totally different discussion from what we are
doing now in DEP-18: recognizing the current most common workflows and
elevating them as the recommended baseline for those who are keen to
collaborate more efficiently.

In Debian/DEP-18 for all the normal daily packaging work like pulling
and pushing, making commits, amending commits, creating branches,
rebasing branches etc you can and should use just regular git commits.
Git-buildpackage is there only to tell people that is the tool to
interact with repos. Git-buildpackage does what it does out of
necessity to be able to produce the *.changes and *.dsc files.
Therefore the upstream import and building packages need to be done in
a certain way and there are 2 or 3 branches in the git repositories.
Luckily, these 3 branch names are unified to be debian/latest,
upstream/latest and pristine-tar thanks to DEP-14. Now with DEP-18 we
can move along and make it easier for new people and also tenured
maintainers to land on the same best practices.

Going back to the example of Alpine, they enforce heavily one single
workflow that includes one single VCS (git), one single hosting place
(https://gitlab.alpinelinux.org/) and to my knowledge also one single
tool to build and update packages. DEP-18 does not enforce anything,
but if you want to have a situation that people voluntarily move
towards adopting the same base workflow for undifferentiated Debian
packaging, you should support DEP-18 and not dismiss it.



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-21 Thread Otto Kekäläinen
Hi,

> > > fwiw, I'm also not using git-buildpackage and I don't want to. (Step 
> > > learning
> > > curve, too much magic, hard to debug and I dont see benefits for the 
> > > packages
> > > I maintain.) I'm also not a beginner. And I love gbp-dch.
> > I think git-buildpackage is great, and I am a happy user. However, it
> > took me quite a while to figure out what is the optimal way to use it,
> > as it has so many options. Can you elaborate what is the specific
> > action/workflow you think git-buildpackage you were frustrated with?
>
> sigh. see above.

I obviously saw above and I think asking for more details I think is
fair so we can discuss if the thing you experienced as "hard to learn"
or "had too much magic" was fundamentally bad and can't be fixed, or
perhaps if better docs or better error handling etc can make that
frustration go away. I feel we should try to polish and improve the
existing tooling that the majority uses, rather than giving up on it
and demand an entirely new tool or workflow.

> in addition to the above: gbp is great if it works, if it doesn't I can
> start to learn to debug a complex system, while on the contrary, if I use
> git and debuild/pbuilder/sbuild manually all the time, I know those tools,
> they are rather easy to debug etc.

Personally I think gbp is very easy to debug. You just add --verbose
to any command and it will print out what it is doing. Example:

± gbp import-orig --uscan --verbose
gbp:debug: ['git', 'rev-parse', '--show-cdup']
gbp:debug: ['git', 'rev-parse', '--is-bare-repository']
gbp:debug: ['git', 'rev-parse', '--git-dir']
gbp:debug: ['git', 'for-each-ref', '--format=%(refname:short)', 'refs/heads/']
gbp:debug: ['git', 'show-ref', '--verify', 'refs/heads/upstream']
gbp:error:
Repository does not have branch 'upstream' for upstream sources. If
there is none see
file:///usr/share/doc/git-buildpackage/manual-html/gbp.import.html#GBP.IMPORT.CONVERT
on howto create it otherwise use --upstream-branch to specify it.

I am sure you already knew this, but pasting here an example for the
sake of discussion.

The output and debuggability can for sure further be improved still, I
am not saying gbp is perfect, but it is by far the best we have and
deserves to be the thing any team or large group standardize on today
to have an easier time collaborating.

> > I think this will be more successful if you frame this as good patterns
> > to follow for people who wish to opt-in on the premise of adopting this
> > workflow.  That framing follows other DEP's.  Now it reads as a mandate
> > for everything.  Acknowledging existance of exceptions to the rules
> > within the rules may also help to gain acceptance.
>
> This!

Thanks for the feedback, I will try to further iterate on the
introduction part in DEP-18 to make is more clear what is the purpose
and that a DEP-18 is not a policy and is opt-in like all the other
DEPs.



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-21 Thread Soren Stoutner
On Wednesday, November 20, 2024 9:10:30 PM MST Otto Kekäläinen wrote:
> I am not enforcing git-buildpackage on everyone. I am accelerating the
> convergence of workflows so that it is easier for maintainers to
> collaborate, so we can have more code reviews, more new maintainers,
> and in the long run perhaps decrease the number of single-maintainer
> packages for packages where the maintainer does not want to be the
> sole maintainer. Currently the learning curve on how to contribute
> prevents many people from doing it.

I am all for this.  I don’t know if we will ever get the number of Debian 
workflows down to 1, but I would like to see it somewhere lower than 1,000 
(that is only a slight exaggeration) in my lifetime.

-- 
Soren Stoutner
so...@debian.org

signature.asc
Description: This is a digitally signed message part.


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-21 Thread Johannes Schauer Marin Rodrigues
Hi,

Quoting Otto Kekäläinen (2024-11-19 07:34:45)
> I am contemplating if I should also make videos on Debian packaging best
> practices, or have start a new Matrix channel specifically to help
> maintainers setup their git repositories correctly and find the optimal
> git-buildpackage commands for each thing they want to do.

I'd describe myself of being in the camp of "I don't care about the commands, i
don't care how my git branches are named, just document one thing so that my
packages can do the same thing that most other packages do". For that reason I
so far created new package repos with "gbp import-dsc" and used all the
defaults that come with that. I don't think I care much for what these defaults
are at least I didn't see myself reading past discussions about this and
thinking "no don't name this branch debian/latest instead of debian/foo" or
something. I like to read of other people's workflows but then I often do not
see how their workflows can possibly fit my packages. There seem to be many
people who have the upstream git as part of their packaging git. I'm happy that
works for them but I don't see how I can leave my tarball-centered workflows
(even though all my upstream work in git) if all my upstreams ship DFSG
non-free material which I have to remove from their tarballs first.

So given all this, the point I wanted to make was: I'd like to watch your
videos if you make them. But at least for me you do not have to go through the
trouble of shooting videos. Just some HTML docs would be just fine for me.
Currently, I'm missing a long-term maintained document which explains "the"
(haha) recommended Debian git workflow through the lifetime of a package from
its initial creation to backports or stable updates.

Thank you for your work!

cheers, josch

signature.asc
Description: signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-21 Thread Andrey Rakhmatullin
On Thu, Nov 21, 2024 at 11:26:15AM +, Holger Levsen wrote:
> > I am not enforcing git-buildpackage on everyone. I am accelerating the
> > convergence of workflows so that it is easier for maintainers to
> > collaborate, so we can have more code reviews, more new maintainers,
> > and in the long run perhaps decrease the number of single-maintainer
> > packages for packages where the maintainer does not want to be the
> > sole maintainer. 
> 
> and you seem to think adding another Debian specific complex tool will
> attrack new people? Most people^wcontributors out there know git already,
> for them a simple git only workflow is *much* more inviting than having
> to learn gbp *only* to contribute to Debian. gbp is useless outside
> Debian (and derivatives. Yet, thats only a part of the free software world.) 

Yes, changing Debian so that the required workflows are more simple is
much better but also impossible.


-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-21 Thread Stefano Rivera
Hi Kari (2024.11.18_15:40:55_+)
> - Only store debian/ in the repository and use origtargz for the rest.

I used to feel strongly this way, too. However,

A big advantage of storing the upstream sources in git is that you can
use git to manage the quilt patch queue. I used to be pretty good at
editing patches to get them to apply after upstream changed the code,
but its painful and slow work. gbp-pq rebase is *infinitely* better.
You need to be comfortable in git rebasing. But if you use git, you are
probably already a git rebase ninja. You can use those same skills in
Debian patch queue maintenance.

I'd suggest giving gbp-pq a good try before writing off the gbp stack.
Maintaining a complex patch stack is *much* easier with it.  I look
after packages in both layouts, and I am sold on storing upstream
sources in git.

Stefano

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-21 Thread Chris Hofstaedtler
* Holger Levsen  [241121 12:26]:
> and you seem to think adding another Debian specific complex tool will
> attrack new people? Most people^wcontributors out there know git already,
> for them a simple git only workflow is *much* more inviting than having
> to learn gbp *only* to contribute to Debian.

This. Exactly this.

This is the reason I can contribute small improvements to Alpine and
other projects with reasonable effort for small improvements. The
tools are the same tools I already use elsewhere, and stuff is as
transparent as it needs to be for outside contributors.

Time to get build people where they are, and not where we are.

Chris



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-21 Thread Holger Levsen
On Wed, Nov 20, 2024 at 08:10:30PM -0800, Otto Kekäläinen wrote:
> > fwiw, I'm also not using git-buildpackage and I don't want to. (Step 
> > learning
> > curve, too much magic, hard to debug and I dont see benefits for the 
> > packages
> > I maintain.) I'm also not a beginner. And I love gbp-dch.
> I think git-buildpackage is great, and I am a happy user. However, it
> took me quite a while to figure out what is the optimal way to use it,
> as it has so many options. Can you elaborate what is the specific
> action/workflow you think git-buildpackage you were frustrated with?

sigh. see above.

in addition to the above: gbp is great if it works, if it doesn't I can
start to learn to debug a complex system, while on the contrary, if I use
git and debuild/pbuilder/sbuild manually all the time, I know those tools,
they are rather easy to debug etc.

> I am not enforcing git-buildpackage on everyone. I am accelerating the
> convergence of workflows so that it is easier for maintainers to
> collaborate, so we can have more code reviews, more new maintainers,
> and in the long run perhaps decrease the number of single-maintainer
> packages for packages where the maintainer does not want to be the
> sole maintainer. 

and you seem to think adding another Debian specific complex tool will
attrack new people? Most people^wcontributors out there know git already,
for them a simple git only workflow is *much* more inviting than having
to learn gbp *only* to contribute to Debian. gbp is useless outside
Debian (and derivatives. Yet, thats only a part of the free software world.) 

On Thu, Nov 21, 2024 at 09:51:15AM +0100, Simon Josefsson wrote:
> Otto Kekäläinen  writes:
> I think this will be more successful if you frame this as good patterns
> to follow for people who wish to opt-in on the premise of adopting this
> workflow.  That framing follows other DEP's.  Now it reads as a mandate
> for everything.  Acknowledging existance of exceptions to the rules
> within the rules may also help to gain acceptance.

This!

...and hopefully last post on this thread from me. I've said everything I
wanted to say.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The upcoming clima apocalypse is the big elephant in every room now.


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-20 Thread Otto Kekäläinen
Hi!

> fwiw, I'm also not using git-buildpackage and I don't want to. (Step learning
> curve, too much magic, hard to debug and I dont see benefits for the packages
> I maintain.) I'm also not a beginner. And I love gbp-dch.

I think git-buildpackage is great, and I am a happy user. However, it
took me quite a while to figure out what is the optimal way to use it,
as it has so many options. Can you elaborate what is the specific
action/workflow you think git-buildpackage you were frustrated with?
Perhaps I can help you discover the optimal workflow and you can skip
the learning curve?

> please dont enforce git-buildpackage on everyone.

I am not enforcing git-buildpackage on everyone. I am accelerating the
convergence of workflows so that it is easier for maintainers to
collaborate, so we can have more code reviews, more new maintainers,
and in the long run perhaps decrease the number of single-maintainer
packages for packages where the maintainer does not want to be the
sole maintainer. Currently the learning curve on how to contribute
prevents many people from doing it. As part of this I help people make
the most out of git-buildpackage, which is by far the most popular
tool for this, and to my knowledge the only tool that supports having
upstream branch in the same repository, cherry-picking upstream
commits easily, rebasing Debian patches on upstream, tracking
supply-chain from upstream git tags and tarballs (or both) to Debian
releases and so forth. There is a debian/gbp.conf in 13573 packages in
Debian, and probably twice as many in total use git-buildpackage
already. Almost all team policies I read have converged on
git-buildpackage. If we don't converge on what the majority is already
using, what then?

> emacs might be better than nano for many usecases, but not all. if someone
> would force me to use emacs, I'd be out. (FWIW, i'm a vim user, this is an
> analogy.)

The analogy with an editor does not work, as the editor is your
personal tool. A better analogy would be interactive pair-programming,
and in such a setting would need to agree with your pair to use for
example Pulsar or Zed so that there is a common system that shows on
your screens what the other person is typing.

If you had bad experiences with git-buildpackage, please share them
with me, I can help you find the optimal workflow, and you can perhaps
give git-buildpackage a second chance?



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-20 Thread Sean Whitton
Hello Kari,

Have you seen:

https://wiki.debian.org/GitPackagingSurvey

You may find something suitable for what you want there.

-- 
Sean Whitton



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-19 Thread Holger Levsen
hi,

fwiw, I'm also not using git-buildpackage and I don't want to. (Step learning
curve, too much magic, hard to debug and I dont see benefits for the packages
I maintain.) I'm also not a beginner. And I love gbp-dch.

just as another data point. (the above.)

please dont enforce git-buildpackage on everyone.

emacs might be better than nano for many usecases, but not all. if someone 
would force me to use emacs, I'd be out. (FWIW, i'm a vim user, this is an
analogy.)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Segregation was legal. Slavery was legal. Don't use legality as a guide to
morality.


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-18 Thread Otto Kekäläinen
Hi!

> With all the recent talk about increasing the use of git for
> packaging, I'd like to address one thing: git-buildpackage is very
> complex to use.  As an alternative, I'd like to propose a simpler
> setup:
..
> sick of it and I can tell you it only makes me want to ignore you.  If
> you ask me it's git-buildpackage's irreducible difficulty of use
> that's the largest road block to increase the use of git for
> packaging.

I think git-buildpackage is great, and I am a happy user.

It did however take me quite a while to figure out what is the best
practice to use it, as it has so many options. I see you are also
using it at https://salsa.debian.org/science-team/chuffed so you seem
to have learned to use it. Can you elaborate, is there a specific
thing you think git-buildpackage falls short on?

Instead of trying to write a new tool from scratch, I hope more people
would offer help to Guido to maintain and polish git-buildpackage and
docs. I am for example proposing doc improvements in
https://salsa.debian.org/agx/git-buildpackage/-/merge_requests/6 and I
tried make git-buildpackage use DEP-14 branches (debian/latest and
upstream/latest) by default in
https://salsa.debian.org/agx/git-buildpackage/-/merge_requests/1,
although I ran out of steam with this latter one as it turned out to
be quite complex. I was also planning to suggest updates the the
Developers Reference on how to use git-buildpackage in the context of
daily package maintenance tasks so people would more easily discover
them (draft at 
https://salsa.debian.org/debian/developers-reference/-/merge_requests/63).

To make it easier for contributors I publish in my packages
debian/gbp.conf, so the settings are automatically correct, and also
README.source(.md) so contributors can discover the correct gbp
comands easily. See examples at
https://salsa.debian.org/debian/entr/-/blob/debian/latest/debian/gbp.conf
and 
https://salsa.debian.org/debian/entr/-/blob/debian/latest/debian/README.source.md.

I am contemplating if I should also make videos on Debian packaging
best practices, or have start a new Matrix channel specifically to
help maintainers setup their git repositories correctly and find the
optimal git-buildpackage commands for each thing they want to do.



Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-18 Thread Peter Pentchev
On Mon, Nov 18, 2024 at 05:40:55PM +0200, Kari Pahula wrote:
> With all the recent talk about increasing the use of git for
> packaging, I'd like to address one thing: git-buildpackage is very
> complex to use.  As an alternative, I'd like to propose a simpler
> setup:
> 
> - Only store debian/ in the repository and use origtargz for the rest.
> 
> - One branch per distribution you target.
> 
> - Only tag debian revisions.
> 
> That's it, less is more.  The master branch would be just a single
> debian directory.  What it specifically wouldn't have is an upstream
> branch and no extracted upstream sources in any permanent branch.

Let me start by saying that I understand where you're coming from;
any tool that allows different use scenarios will almost inevitably
grow more and more complex with time, and become more and more
difficult to use by beginners, unless there are good tutorials and
step-by-step recipes for the most common cases. TBH, I think that
the git-buildpackage manual is relatively easy to read and
understand, but, of course, that opinion of mine is tainted by
the fact that I cannot exactly be called a beginner :) (although
there are new things I learn about Debian packaging every month)

However... different people are used to different workflows.
I personally really, really like the fact that I have the Git history of
all the upstream files in the same repo and I don't have to go over to
a different repo to figure out what changed when. Also, I like that
immediately after `gbp import-orig` I can run `git show upstream` to
review the diff (TBH, me being very pedantic, I usually have already
given it a quick glance using `diff -urN` on unpacked tarballs before
even importing it, if only to figure out if there are new files that
I need to exclude, but that's not always the case), and that I can
at any time later run `git diff upstream/2.17.18..upstream/3.14.15 path`
or similar commands. I have even been known to use `git bisect` in
a Debian package directory in some weird cases.

And yes, all of that can be handled in a separate Git repo with
a clean checkout of the upstream repository without any of
the Debian fluff; however, that would require me switching between
terminals/tmux panes/whatever, and sometimes that seems like too much
work when I can have it all in a single repository :)

So... yes, a simpler setup would work for some people, and it may be
better for beginners. However, there are some benefits to a full
repository containing both the upstream source and the Debian changes,
and some people like to use them every now and then.

Still, thanks for your desire to make working on Debian easier and
better!

G'luck,
Peter

-- 
Peter Pentchev  r...@ringlet.net r...@debian.org pe...@morpheusly.com
PGP key:https://www.ringlet.net/roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-18 Thread Andrey Rakhmatullin
On Mon, Nov 18, 2024 at 08:16:59PM +0200, Kari Pahula wrote:
> > However... different people are used to different workflows.
> > I personally really, really like the fact that I have the Git history of
> > all the upstream files in the same repo and I don't have to go over to
> > a different repo to figure out what changed when. Also, I like that
> > immediately after `gbp import-orig` I can run `git show upstream` to
> > review the diff (TBH, me being very pedantic, I usually have already
> > given it a quick glance using `diff -urN` on unpacked tarballs before
> > even importing it, if only to figure out if there are new files that
> > I need to exclude, but that's not always the case), and that I can
> > at any time later run `git diff upstream/2.17.18..upstream/3.14.15 path`
> > or similar commands. I have even been known to use `git bisect` in
> > a Debian package directory in some weird cases.
> > 
> > And yes, all of that can be handled in a separate Git repo with
> > a clean checkout of the upstream repository without any of
> > the Debian fluff; however, that would require me switching between
> > terminals/tmux panes/whatever, and sometimes that seems like too much
> > work when I can have it all in a single repository :)
> 
> Preface, just in case: I list a few git commands, don't try running
> them if you have uncommitted changes.
> 
> Okay, I could amend what I proposed originally with this option: Do
> the debian work in a fork of upstream's repository, but never merge
> the debian branch and upstream branch.  That is, the start of Debian
> maintenance would be by cloning upstream and then with "git checkout
> --orphan debian" followed by "git reset --hard".
> 
> Do you think you could do all of the above with that model, with a
> command like "git checkout debian -- ." to insert the debian contents
> to an upstream branch?
> 
> I'm thinking that it's the merging of debian and upstream branches and
> maintaining it that really causes the warts in gbp and I'm not at all
> sure if there are any actual workflows that require having that.
> "upstreamless" as I described it may be a bit too much for general use
> but could there be a case for doing everything with a mergeless model
> instead?  
> 
> Furthermore, I think import-orig should really be only about
> establishing a particular byte string as the orig.tar.  Think of
> object storage.  If there's a connection to a particular commit hash
> or release tag in the repository it would better be represented as a
> separate entry.  Perhaps as a text file like debian/upstream-commits
> that would be a list of upstream version/commit hash or tag pairs.
> From where I stand, the way these disparate concerns have been merged
> seems to be one root cause for all sorts of unintended consequences.

You are talking about the upstream git history while Peter is talking
about simply importing orig tarballs.

Maybe what is causing warts in gbp *for you* is some *specific* gbp
workflow, one of the many it supports?


-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-18 Thread Kari Pahula
On Mon, Nov 18, 2024 at 06:19:58PM +0200, Peter Pentchev wrote:
> However... different people are used to different workflows.
> I personally really, really like the fact that I have the Git history of
> all the upstream files in the same repo and I don't have to go over to
> a different repo to figure out what changed when. Also, I like that
> immediately after `gbp import-orig` I can run `git show upstream` to
> review the diff (TBH, me being very pedantic, I usually have already
> given it a quick glance using `diff -urN` on unpacked tarballs before
> even importing it, if only to figure out if there are new files that
> I need to exclude, but that's not always the case), and that I can
> at any time later run `git diff upstream/2.17.18..upstream/3.14.15 path`
> or similar commands. I have even been known to use `git bisect` in
> a Debian package directory in some weird cases.
> 
> And yes, all of that can be handled in a separate Git repo with
> a clean checkout of the upstream repository without any of
> the Debian fluff; however, that would require me switching between
> terminals/tmux panes/whatever, and sometimes that seems like too much
> work when I can have it all in a single repository :)

Preface, just in case: I list a few git commands, don't try running
them if you have uncommitted changes.

Okay, I could amend what I proposed originally with this option: Do
the debian work in a fork of upstream's repository, but never merge
the debian branch and upstream branch.  That is, the start of Debian
maintenance would be by cloning upstream and then with "git checkout
--orphan debian" followed by "git reset --hard".

Do you think you could do all of the above with that model, with a
command like "git checkout debian -- ." to insert the debian contents
to an upstream branch?

I'm thinking that it's the merging of debian and upstream branches and
maintaining it that really causes the warts in gbp and I'm not at all
sure if there are any actual workflows that require having that.
"upstreamless" as I described it may be a bit too much for general use
but could there be a case for doing everything with a mergeless model
instead?  

Furthermore, I think import-orig should really be only about
establishing a particular byte string as the orig.tar.  Think of
object storage.  If there's a connection to a particular commit hash
or release tag in the repository it would better be represented as a
separate entry.  Perhaps as a text file like debian/upstream-commits
that would be a list of upstream version/commit hash or tag pairs.
From where I stand, the way these disparate concerns have been merged
seems to be one root cause for all sorts of unintended consequences.

> So... yes, a simpler setup would work for some people, and it may be
> better for beginners. However, there are some benefits to a full
> repository containing both the upstream source and the Debian changes,
> and some people like to use them every now and then.

I don't agree with framing this as a beginner/expert issue.

> Still, thanks for your desire to make working on Debian easier and
> better!

You don't really sound willing to discuss anything with that but I'm
still going to try.


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-18 Thread Andrey Rakhmatullin
On Mon, Nov 18, 2024 at 05:40:55PM +0200, Kari Pahula wrote:
> With all the recent talk about increasing the use of git for
> packaging, I'd like to address one thing: git-buildpackage is very
> complex to use.  As an alternative, I'd like to propose a simpler
> setup:

We want fewer allowed setups, not more. Though it's clear to me at this
point that if this become more than a dream, we will need to allow more
than one.

> - Only store debian/ in the repository and use origtargz for the rest.
> 
> - One branch per distribution you target.
> 
> - Only tag debian revisions.

--git-overlay probably supports this, but it's not really documented so I
don't really know.

> That's it, less is more.  The master branch would be just a single
> debian directory.  What it specifically wouldn't have is an upstream
> branch and no extracted upstream sources in any permanent branch.

Many people want to have version-tracked upstream sources so this can't be
the only allowed workflow.

> gbp dch would still be useful with this workflow.  gbp pq could be
> made to work with this if you extracted orig.tar and committed it to a
> temporary local working branch and used it against it.

"How do I create and update patches" is actually a big part of a good
workflow, and this way doesn't sound easy.
Though of course there is no way to have 3.0 (quilt), git and easy patch
workflows at the same time.

> I guess interfacing with upstream's git with gbp has its uses but it
> just seems to me that the capability comes with a hefty cost.  If you
> can maintain a package with having orig.tar files be your interface to
> upstream's releases then it simplifies things on our side a whole lot.

It's not necessarily interfacing with upstream's git, just
version-tracking tarballs is already very useful. Maybe more useful than
the upstream git in certain use cases.

> I've been a DD longer than git-buildpackage has been around and I've
> been looking at using it at various times but pretty much every time
> my reaction's been "must I?"  I know a lot of people do use gbp daily
> for work with good effect but somehow I suspect even they had quite a
> steep learning curve to get into it.  I wouldn't fancy the idea of
> trying to explain how to use it to someone on d-mentors.

I have many interconnected thoughts about this:

1. git-buildpackage is complicated because it supports many different
workflows, some of which don't have anything in common. This simply
represents a bigger problem in Debian and is not specific to
git-buildpackage.
2. git-buildpackage is bad. This is unavoidable, because any tool that
tries to wrap the inherently incompatible Debian packages workflow into a
VCS will be bad in some way. So we don't and, unavoidably, can't have a
better tool and must work with what we have.
3. git-buildpackage has a steep learning curve, but I don't expect it to
be that steep for people who are already proficient both with Debian
packaging and with git. Which new users aren't, at least because of the
former, but it's far from the only thing with a steel learning curve and
not enough docs they will hit their heads against.
4. git itself has a steep learning curve, bad UI, bad docs etc. etc., but
we clearly don't have a better VCS to store packages in, and we really
need to do that. And, at least, git knowledge is both useful outside
Debian and possible to already have before becoming a Debian package,
unlike almost everything else you need to know in Debian packaging.
5. *Debian packaging itself* is notoriously hard to learn, and as long as
it stays as hard as it is now not a lot of things on top of it could make
the overall experience harder and some of them may make it *easier* for
many people.
6. Whatever workflow one needs to learn, even if it's just a single one,
will be hard for a newbie in a large part because of the disconnect
between the VCS concept and the "source package as a first class citizen"
concept, even before we talk about patches, uscan and upstreams without
tarballs.

Long story short, I don't envy our newbie contributors and I don't think
it will be easier for them in my lifetime.


> I must say that I haven't been that impressed with the DEP-18
> discussion I've seen.  It seems like the message has pretty
> consistently been "if you don't use git you're the problem" and I'm
> sick of it and I can tell you it only makes me want to ignore you.

I'm afraid I don't see a peaceful way forward for the project. Most likely
we will continue stagnating and losing people but in a less probably
scenario with big changes many people will resign.

> If you ask me it's git-buildpackage's irreducible difficulty of use
> that's the largest road block to increase the use of git for packaging.

:-/


-- 
WBR, wRAR


signature.asc
Description: PGP signature


Re: Simpler git workflow for packaging with upstreamless repositories

2024-11-18 Thread Soren Stoutner
Kari,

On Monday, November 18, 2024 8:40:55 AM MST Kari Pahula wrote:
> I've been a DD longer than git-buildpackage has been around and I've
> been looking at using it at various times but pretty much every time
> my reaction's been "must I?"  I know a lot of people do use gbp daily
> for work with good effect but somehow I suspect even they had quite a
> steep learning curve to get into it.  I wouldn't fancy the idea of
> trying to explain how to use it to someone on d-mentors.

I don’t want to necessarily disagree with anything you have said, but if you 
want an example of me explaining how to use gbp on Debian Mentors you can take 
a look at:

https://lists.debian.org/debian-mentors/2024/09/msg00057.html

And yes, it is a steep learning curve.

-- 
Soren Stoutner
so...@debian.org

signature.asc
Description: This is a digitally signed message part.