"Simon" == Simon Richter <sjr@debian.org> writes:
Hi,
On 8/25/21 1:21 AM, Sean Whitton wrote:
From my point of view, signing git tags is no less well established a
best practice than signing tarballs -- in fact, to me, it seems *more*
well established.
That is ecosystem dependent.
FWIW, I'd love to see git bundles as a source archive format -- this would >allow shipping a (signed) tag, its commit, and the tree and blob objects for >that commit as a single file that can be built in a reproducible way and allows
changes on top to be easily tracked, including the branch point.
In the absence of an "official" upstream release tarball, using this format >also makes it clear that this is a git snapshot, so no explanation is needed >how that archive was created.
"git archive" is reproducible, for simplicity I wouldn't use a prefix
though. xz has some issues with reproducibility, AFAIK "-T2" makes it
disable some internal heuristics that are based on the machine it is
running on, and generates consistent output.
Excuse me, but -T in xz looks like to be the number of threads. Did you mistake it with something else?
Hi,
I wrote this many times, but I don't see why we should use any "upstream
tarball" when the Git repository itself contains the tarball with:
git archive --prefix=$(DEBPKGNAME)-$(VERSION)/ $(GIT_TAG) \
    | xz >../$(DEBPKGNAME)_$(VERSION).orig.tar.xz
(which leads to a .xz, which is nicer)
"git archive" is reproducible, for simplicity I wouldn't use a prefix
though. xz has some issues with reproducibility, AFAIK "-T2" makes it
disable some internal heuristics that are based on the machine it is
running on, and generates consistent output.
  Simon
"git archive" is reproducible
I wrote this many times, but I don't see why we should use any "upstream tarball" when the Git repository itself contains the tarball with:
git archive --prefix=$(DEBPKGNAME)-$(VERSION)/ $(GIT_TAG) \
| xz >../$(DEBPKGNAME)_$(VERSION).orig.tar.xz
(which leads to a .xz, which is nicer)
Not only then, only only has to merge the upstream tag in the Debian
branch to get the new release, but on top, no need to "gbp import" or "pristine-tar commit", and a single packaging branch becomes enough.
I very much wish this packaging workflow gained more traction, and the pristine-tar abomination dies...
On Wed, Aug 25, 2021 at 2:36 PM Simon Richter wrote:
"git archive" is reproducible
I'm told by the Bootstrappable Builds folks that `git archive` isn't deterministic in some cases to do with filtering, I lost the details
though.
Hi,
On 8/25/21 1:21 AM, Sean Whitton wrote:
From my point of view, signing git tags is no less well established a
best practice than signing tarballs -- in fact, to me, it seems *more*
well established.
That is ecosystem dependent.
That is ecosystem dependent.
Yes, that was my point. We're going to have upstreams who release
tarballs and upstreams who release tags for some time.
git archive --prefix=$(DEBPKGNAME)-$(VERSION)/ $(GIT_TAG) \
| xz >../$(DEBPKGNAME)_$(VERSION).orig.tar.xz
I noticed that sometimes Debian's choice of upstream source for[…]
packaging can be suboptimal. This is especially apparent for the
different per-language upstream packaging ecosystems[1], where the
upstream packaging differs from the upstream VCS in some significant
ways, including missing files, prebuilt files, embedded copies etc.
While the upstream VCS also sometimes has these issues, it is often
much less problematic than the upstream packaging ecosystems.
I'd like to suggest that we standardise on the upstream VCS for our orig.tar.gz files and phase out use of upstream packaging ecosystems.
1. the ecosystems I'm talking about include cargo, npm, browser
extensions, rubygems, pypi, CPAN etc.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 46:02:01 |
Calls: | 6,648 |
Files: | 12,198 |
Messages: | 5,329,850 |