Iustin Pop writes ("Re: Include git commit id and git tree id in *.changes
files when uploading? [and 1 more messages]"):
> I haven't followed the discussions (and while I tried to read "Debian’s
> git transition", I couldn't undersanding it), but having a field
> pointing to the exact signed tag used for uploads would be useful.
I think it's less useful than it initially appears. Because while one
might have "the exact signed tag", that doesn't guarantee any
particular correspondence between contents of the tagged commit, and
the source package contents.
If one uses git-buildpackage to make the source package, in the legacy
way, it is not unusual for the generated .dsc to have different
contents to the maintainer's DEP-14 tag.
So you can maaaybe use such a thing for auditing (and get false audit
alerts), or as a human to help navigate, but it would be a serious
mistake to write a program that used such a tag *instead of* the
source package.
To be really useful, we want the tag to correspond to the *contents*
in a formal, defined, and verifiable way. The dgit-generated tags
have this property.
And, the dgit-generated tags *are* sufficiently declared in the .dsc:
the .dsc gells you the source package name and version number (and
that the package was pushed to *Debian*) and that means you can find
the tag simply from the source package name and the version number.
Let me run you through a worked example. Let's start with dgit
itself, verson 13.20 which I uploaded a day or two ago:
We can start here
https://tracker.debian.org/pkg/dgit
If we want to go via a dsc from a mirror, we can follow the link
there to this:
https://deb.debian.org/debian/pool/main/d/dgit/dgit_13.20.dsc
That contains this field:
Dgit: 144fa18990ffe45b51d5490e4c49ed9f9a475807 debian archive/debian/13.20
https://git.dgit.debian.org/dgit
That says we can find the upload at https://git.dgit.debian.org/dgit
at the ref archive/debian/13.20 and that we should expect it to refer
to commit 144fa18990ffe45b51d5490e4c49ed9f9a475807. And here it is:
https://browse.dgit.debian.org/dgit.git/tag/?h=archive/debian/13.20
And there's also the "maintainer view" tag (which would correspond to
the patches-unapplied verson of a gbp pq package):
https://browse.dgit.debian.org/dgit.git/tag/?h=debian/13.20
That has a formulaic name too, and the in-tag metadata tells you
precisely what transformation was made to get from debian/13.20 to
archive/debian/13.20. (In this case, `no-split`, meaning there is no
difference.)
So there is no need for an *additional* header field.
Of course all of this is only there if you use dgit push, or
tag2upload.
But if we want a reliable tag, that you might reasonably choose to use
instead of downloading the dsc and tarballs, we need *some* kind of
new tool that checks that the two things actually correspond.
That tool is dgit.
> (I'm still trying to understand what the future of packaging is, and
> what do I need to switch to, from my use of gbp)
We intend to write something more actionable for maintainers...
We're also hoping someone will help update especially devref.
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
