Hi!
On Fri, 2017-08-11 at 14:15:28 -0400, Daniel Kahn Gillmor wrote:
> Package: devscripts
> Priority: wishlist
> Control: affects -1 + dpkg git-buildpackage pristine-tar
> X-Debbugs-Cc: d...@packages.debian.org, git-buildpack...@packages.debian.org,
> pristine-...@packages.debian.org
> I'm not sure exactly how to do this, but what i'd like to see is a way
> for us to record and make use of signed git tags in the same way.
>
> I'm opening this bug report in the hopes of starting discussion about
> how to best do it.
> Here's an extremely rough and inefficient approach (which i haven't
> implemented, as this is in brainstorming phase). I've probably even got
> some of the terminology wrong, or the dataflows backward:
>
> * we document how we generate a debian "upstream tarball" from a git
> tag. for example, we put this in debian/upstream/vcs-gen-tarball:
>
> git archive --format=tar --prefix=${projname}-${version} ${tagname} |
> gzip -9n
>
> * make a shallow clone of the git archive at the tag, including the
> tag. (i've confirmed that a signed git tag in a shallow repo does
> validate correctly).
>
> git clone --bare --depth 1 -b ${tagname} \
> file://path/to/upstream/${projname}.git ${projname}-${version}.git
>
>
> * create an archive of the shallow clone, combined with the command to
> generate the tarball (we can call this a "gtsig")
>
> rm -rf ${projname}-${version}.git/hooks
> cp debian/upstream/vcs-gen-tarball ./${projname}-${version}.git
> tar cz ./${projname}-${version}.git > ./${projname}-${version}.gtsig
>
> * write a simple tool to verify an orig.tar.gz against a signing key
> and a gtsig, by extracting the "shallow clone" of the git repository,
> verifying git tag -v, using git-archive, and then comparing the
> results.
It seems to me like you are perhaps trying to reimplement dpkg source
format «3.0 (git)» (described in man dpkg-source)? :)
Thanks,
Guillem
