Bug#871806: uscan: (dpkg, git-buildpackage) accept/mangle/store signed git tags in cases where upstream does not publish detached sigs on tarballs

Guillem Jover guillem at debian.org
Wed Aug 16 23:05:46 UTC 2017 

Hi!

On Fri, 2017-08-11 at 14:15:28 -0400, Daniel Kahn Gillmor wrote:
> Package: devscripts
> Priority: wishlist
> Control: affects -1 + dpkg git-buildpackage pristine-tar
> X-Debbugs-Cc: dpkg at packages.debian.org, git-buildpackage at packages.debian.org, pristine-tar at packages.debian.org

> I'm not sure exactly how to do this, but what i'd like to see is a way
> for us to record and make use of signed git tags in the same way.
> 
> I'm opening this bug report in the hopes of starting discussion about
> how to best do it.

> Here's an extremely rough and inefficient approach (which i haven't
> implemented, as this is in brainstorming phase).  I've probably even got
> some of the terminology wrong, or the dataflows backward:
> 
>  * we document how we generate a debian "upstream tarball" from a git
>    tag.  for example, we put this in debian/upstream/vcs-gen-tarball:
> 
>     git archive --format=tar --prefix=${projname}-${version} ${tagname} | gzip -9n
> 
>  * make a shallow clone of the git archive at the tag, including the
>    tag. (i've confirmed that a signed git tag in a shallow repo does
>    validate correctly).
> 
>      git clone --bare --depth 1 -b ${tagname} \
>             file://path/to/upstream/${projname}.git ${projname}-${version}.git
> 
> 
>  * create an archive of the shallow clone, combined with the command to
>    generate the tarball (we can call this a "gtsig")
> 
>      rm -rf ${projname}-${version}.git/hooks
>      cp debian/upstream/vcs-gen-tarball ./${projname}-${version}.git
>      tar cz ./${projname}-${version}.git > ./${projname}-${version}.gtsig
> 
>  * write a simple tool to verify an orig.tar.gz against a signing key
>    and a gtsig, by extracting the "shallow clone" of the git repository,
>    verifying git tag -v, using git-archive, and then comparing the
>    results.

It seems to me like you are perhaps trying to reimplement dpkg source
format «3.0 (git)» (described in man dpkg-source)? :)

Thanks,
Guillem

More information about the devscripts-devel mailing list