[Pkg-fonts-devel] Greetings
Bobby de Vos
bobby_devos at sil.org
Fri Mar 31 04:39:05 UTC 2017
On 2017-03-30 18:50, Paul Wise wrote:
> Welcome to the team :)
Thank you.
> I note that this font uses a build system that does not appear to be
> available in Debian yet, is SIL NRSI planning on packaging it for
> Debian? Debian likes to build fonts from source available in Debian
> using FLOSS tools packaged for Debian.
>
> https://github.com/silnrsi/smith
Smith and the tools it calls have been packaged, but are not in Debian.
They are at
https://launchpad.net/~silnrsi/+archive/ubuntu/smith
NRSI uses Launchpad to rebuild the packages when the source changes.
When we find a bug in one of the tools, Launchpad allows us to quickly
deploy the fixed code to our developers and build agents. If Smith and
the tools it calls were put into sid, how often are the Debian build
agents (I apologize if that is not the correct term) updated with recent
updates to smith and the tools? Some of the tools, such as grcompiler,
are already in Debian, but are not updated with the current releases.
> I also note that the repository for the font contains generated files,
> including binary TTF/WOFF files. Usually git repositories contain zero
> generated files, the generated files are listed in .gitignore and
> always built from source and then placed into binary packages (zip
> files for fonts). I would encourage SIL to adopt this model.
The git repo I mentioned, https://github.com/devosb/fonts-sil-lateefgr,
is not the upsteam repo. The upstream repo is at
https://github.com/silnrsi/font-lateef . In that upstream repo, there is
a binary TTF file that I think is the export from FontLab. It is not the
final TTF that would be used on an installed system. NRSI is in the
middle of transitioning our tool chain to be more open. And there you
will find the generated fonts are ignored by .gitignore (results/** is
the line that does this).
The repo I mentioned (https://github.com/devosb/fonts-sil-lateefgr) is
more inline with the packaging repo for Harmattan at
https://anonscm.debian.org/cgit/pkg-fonts/fonts-sil-harmattan.git/ The
upstream is at https://github.com/silnrsi/font-harmattan. The upstream
does not contain an TTF files, the packaging repo does.
For the LateefGR upstream has release a zip file (LateefGR-1.200.zip)
containing built TTFs at
https://github.com/silnrsi/font-lateef/releases. Is that that file I
should be using to do Debian packaging? As you correctly noted, our
full, up-to-date toolchain is not in Debian (although it may be after a
while) so until that happens, how should I be making Debian packages of
NRSI fonts? I thought I was following the model of
https://anonscm.debian.org/cgit/pkg-fonts/fonts-sil-harmattan.git/ , but
it is quite possible I mis-understood something. The source is present
in the Harmattan packaging repo, even though it is not used by Debian to
build the TTF. If a zip file such as LateefGR-1.200.zip is used, it does
not contain any source, so where would the source (in a repo like the
Harmattan packaging repo) come from?
I joined this list to help get answers to questions like these, so I
appreciate your guidance.
> In addition, it would be great if there were electronic signatures
> (OpenPGP/etc) of all git commits and tags and any zip files or
> tarballs you release, so that Debian can verify the source code came
> from SIL and wasn't modified by github or network attackers.
>
> https://mikegerwitz.com/papers/git-horror-story
> https://github.com/blog/2144-gpg-signature-verification
> https://wiki.debian.org/Creating%20signed%20GitHub%20releases
> https://wiki.debian.org/debian/watch#Cryptographic_signature_verification
I appreciate the education is security practices and will pass this
information along.
Thanks, Bobby
--
Bobby de Vos
/bobby_devos at sil.org/
More information about the Pkg-fonts-devel
mailing list