On Sat, Nov 22, 2014 at 04:44:51PM +0100, Matthias Urlichs wrote: > Hi, > > Troy Benjegerdes: > > How hard would it be to add hooks/helpers to dpkg-buildpackage to know how > > to deal with git and mercurial repositories, and deterministically generate > > the 'source' tar.gz from the repo? > > > Exactly: Get source by adding a vcs-git-commit: field which points to the > sources in question, instead of uploading a huge .tar.?z file. > > > If you take this approach a little farther, I think there's an argument (I > > am not sure it's a good one yet) that the debian source archive will take > > up quite a bit less space if it's using git/mercurial repositories that can > > store a single copy of the same file that's used in 15 different releases, > > while the current approach makes 15 copies in the source packages. > > We usually do not *have* 15 releases. What we do have is updated source, > so the archive's mirrors would need to get five small files (the incremental > git .pack, its local and global indices, the new refs/heads/BRANCH entry, > and a tag created by the autobuilder) instead of one large and > mostly-redundant tar.xz. > > A packed git repo is typically 10…20% larger than the .tar.gz it's built > from, so even with better compression via .xz this would be a win whenever > there's more than one source version in the archive. > > I do plan to investigate this idea further. Sometime after the release.
Please also consider mercurial, or at least contact me when you have something with git and I can make sure it works when cloned into mercurial. My argument for this (besides my personal bias), is that a *feature* of mercurial is that history is immutable, while git has the feature which allows rewriting history. (my opinion is that's more of a misfeature) >From a security audit point of view, I would much rather have a clear immutable history of the archive, which I can get with a bunch of tar.xz files. I think I can get a good audit trail from mercurial, but git starts to make me nervous about auditing, especially because I do not like the idea of referring to everything by hash, and I'd rather have something clear like Mercurial's revlog[1][2] format. [1] http://xentac.net/2012/01/19/the-real-difference-between-git-and-mercurial.html [2] http://selenic.com/mercurial/wiki/index.cgi/Presentations?action=AttachFile&do=get&target=ols-mercurial-paper.pdf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141128054705.ge29...@nl.grid.coop
