Re: Ship a git .bundle in .dsc and .deb

2024-08-14 Thread Todd Zullinger 
Piper McCorkle wrote:
> On Wednesday, 14 August 2024 16:43:54 CDT Agathe Porte wrote:
>> Or maybe I could tar the upstream .git folder and store everything else
>> as plain files? But still a binary blob in source package. And
>> extracting the tar into a .git in the filesystem in /usr/share/ may
>> raise a lot of Lintian warnings?
> 
> Perhaps you could include the contents of the git repo in the source package, 
> then in d/rules run something like `cd usr/src/qmk_firmware && git init && cp 
> files . && git add -A && git commit`. That way, you just have regular files 
> in 
> the source package, but you generate a synthetic Git repo in the build 
> process.
> 
> Reproducibility might be difficult, given that git uses the current date and 
> such for creating commits. Doesn't sound insurmountable though!

You can set GIT_AUTHOR_NAME and GIT_COMMITTER_DATE to use
SOURCE_DATE_EPOCH and export those vars (if there isn't a
helper which does this already in the Debian build tooling).

-- 
Todd


signature.asc
Description: PGP signature

Re: xz backdoor

2024-03-30 Thread Todd Zullinger 
Diane Trout wrote:
> On Sun, 2024-03-31 at 03:34 +0100, Wookey wrote:
>> On 2024-03-30 20:52 +0100, Ansgar 🙀 wrote:
>>> Yubikeys, Nitrokeys, GNUK, OpenPGP smartcards and similar devices.
>>> Possibly also TPM modules in computers.
>>> 
>>> These can usually be used for both OpenPGP and SSH keys.
>> 
>> Slightly off-topic, but a couple of recent posts have given me the
>> same thought:
>> 
>> Can someone point to good docs on this?  I've had a
>> yubikey for 3/4 of a year now but have not yet worked out
>> how I put my GPG key in it.  (or if it should be another
>> key, or a subkey, or whatever). So I'm not actually using
>> it yet.
> 
> I've also been thinking I needed to this, and so far this has looked
> like the most detailed write up I've found so far.

Another useful source is the "Protecting code integrity with
PGP" from the Linux Foundation IT folks:

https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md

It's a bit less daunting than the drduh guide, which can be
helpful for folks who aren't subject-matter experts and just
want a reasonable "how do I make this work" guide. :)

> I haven't followed the advice but I've been working on trying to
> understand it.
> 
> https://github.com/drduh/YubiKey-Guide

-- 
Todd


signature.asc
Description: PGP signature