Hi! ... > That setup sounds nice! What is your workflow to import a new upstream > release? > > I see the watch file still points to the tarball: > > https://salsa.debian.org/mariadb-team/mariadb-server/-/blob/debian/latest/debian/watch > > Would it be possible to extend the debian/watch syntax to be able to > express both a tarball and upstream git branch? > > Then 'gbp import-orig' would import both the tarball and sync git, after > performing PGP tarball verification and Git branch signature > verification. I suppose you are doing that manually somehow now?
Simon already replied and explained use of the git-buildpackage flag --add-upstream-vcs, but I encourage you to read up more details at https://manpages.debian.org/unstable/git-buildpackage/gbp-import-orig.1.en.html#upstream~3 and note that you can define it in your package debian/gbp.conf permanently, as upstream rarely changes the syntax they use, and whatever is permanently in debian/gbp.conf can be omitted from the command-line and thus makes using gbp commands simpler and uniform for all packages (as if there are per-upstream quirks, they are handled automatically per gbp.conf configs). I try to maintain both gbp.conf and README.source(.md) in all my packages to so that anyone can easily contribute, but in this package the REDME was a bit outdated, so this was a good trigger to update it - see now https://salsa.debian.org/mariadb-team/mariadb-server/-/blob/debian/latest/debian/README.source.md A typical import starts with fetching upstream branch and tag with one command: # git fetch --verbose upstreamvcs POST git-upload-pack (371 bytes) >From https://github.com/MariaDB/server = [up to date] 11.4 -> upstreamvcs/11.4 * [new tag] mariadb-11.4.3 -> mariadb-11.4.3 ..followed by the tarball download and automatic import that ties both git and tarball together: # gbp import-orig --uscan --verbose gbp:info: Launching uscan... uscan warn: The directory name packages doesn't match the requirement of --check-dirname-level=1 --check-dirname-regex=groonga\-normalizer\-mysql(-.+)? . Set --check-dirname-level=0 to disable this sanity check feature., skipping Newest version of mariadb on remote site is 11.4.3, local version is 11.4.2 => Newer package available from: => https://archive.mariadb.org/mariadb-11.4.3/source/mariadb-11.4.3.tar.gz gpgv: Signature made Tue Aug 6 14:56:23 2024 UTC gpgv: using RSA key 177F4010FE56CA3336300305F1656F24C74CD1D8 gpgv: Good signature from "MariaDB Signing Key <signing-...@mariadb.org>" Leaving ../mariadb_11.4.3.orig.tar.gz where it is. gbp:info: Using uscan downloaded tarball ../mariadb_11.4.3.orig.tar.gz gbp:info: <DebianUpstreamSource path='../mariadb_11.4.3.orig.tar.gz' signaturefile='../mariadb_11.4.3.orig.tar.gz.asc'> gbp:info: Importing '../mariadb_11.4.3.orig.tar.gz' to branch 'upstream/latest'... gbp:info: Source package is mariadb gbp:info: Upstream version is 11.4.3 gbp:info: Replacing upstream source on 'debian/latest' gbp:info: Running Postimport hook gbp:debug: dch -v 1:11.4.3-1 "New upstream release" [] [] gbp:debug: rm ['-rf', '/tmp/test/tmpfd4j_x0p'] [] gbp:info: Successfully imported version 11.4.3 of ../mariadb_11.4.3.orig.tar.gz Try running the above with `--verbose` to see all the details on what it does to git, signatures and pristine-tar. If I forget the fetch upstreamvcs, gbp will automatically error: # gbp import-orig --uscan --verbose gbp:info: Launching uscan... ... gbp:info: Importing '../mariadb_11.4.3.orig.tar.gz' to branch 'upstream/latest'... ... gbp:info: Upstream version is 11.4.3 gbp:error: Import of ../mariadb_11.4.3.orig.tar.gz failed: Can't find upstream vcs tag/revision at 'mariadb-11.4.3' Git-buildpackage will automatically error and abort on many important checks, just as one would expect: - if tarball signature is missing, or it does not verify with upstream signing key - if upstream git tag signature is missing (unfortunately it will accept any signature, there is currently no way to say which keyring of upstream devs are valid release tag signatores) - if my own gpg key is missing, and I can't sign the upstream import tag I guess debian/watch could be extended to scan for both upstream git tag and tarball availability in parallel, but as long as gbp.conf is correctly configured, the overall process is pretty smooth. Also git-buildpackage itself could be extended to have even more automation, but it is already on a level that I am delighted with it and use this workflow with all my packages. After the import I continue by manually writing noteworthy things about the upstream release in changelog: # gbp dch --distribution=UNRELEASED \ --commit --commit-msg="Update changelog and refresh patches after %(version)s import" \ -- debian gbp:info: Changelog last touched at 'b585ff1ab2762e9c81bc7b9cc8be379fefa880a5' gbp:info: Continuing from commit 'b585ff1ab2762e9c81bc7b9cc8be379fefa880a5' gbp:info: Only looking for changes on 'debian' gbp:info: Changelog committed for version 1:11.4.3-1 Then I continue by refreshing debian/patches/* contents: gbp pq rebase gbp pq export Plus whatever else I think is needed, one git commit per self-standing change, and then finally when time for upload I run: gbp dch --release --commit ..and then finally build and upload.
