Hello,
Firstly, Andreas:
In the context of this productive discussion we're now having, I'd like
to ask you to use your DPL powers to increase the minimum and maximum
discussion periods for this GR by one week each.
I believe that will be enough time to nail things down, such that I can
withdraw my GR proposal with confidence that it's unneeded.
Secondly, Joerg:
Ian and I discussed it, and to make sure we are all on the same page, we
propose that we edit our TAG2UPLOAD-DESIGN.txt to match what we think
you are asking for, and then you can tell us "yes, that's what we meant"
or "no, that misses the point".
Here is a first attempt at an update -- please review.
There are some cases where this differs from your proposal, which I've
marked with "NOT YET AGREED". We're discussing those in the other
thread, and haven't quite converged yet, but we decided to write them
into this draft because we're optimistic we'll converge soon.
-- 8< --
---
TAG2UPLOAD-DESIGN.txt | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/TAG2UPLOAD-DESIGN.txt b/TAG2UPLOAD-DESIGN.txt
index 6dbfaec4..a227b32a 100644
--- a/TAG2UPLOAD-DESIGN.txt
+++ b/TAG2UPLOAD-DESIGN.txt
@@ -140,6 +140,9 @@ Not exposed via the git protocol, not even as a client.
target suite on the command line. Target host is the Builder.
(We use the existing dgit rpush signing oracle protocol.)
+ XXXX rpush protocol to be extended to include new .git.tar.xz
+ as described below
+
* Sends an email saying what it did.
* Reports the outcome success/failure and a summary line
@@ -231,6 +234,25 @@ binary build reproduction), or a suitable script, which
can verify a
reproduction attempt. For now the src:dgit test suite will check that
the upload is reproducible if run again in the same environment.
+The upload will also contain a file SOURCE_VERSION.git.tar.xz which is a
+compressed archive of the result of doing
+
+ % git clone --depth 1 -b debian/VERSION file://REPO
+
+where debian/VERSION is the maintainer's signed tag and REPO is the repository
+in which 'dgit rpush' is invoked.
+
+ NOT YET AGREED (Note that with --depth 1, this tarball
+will not always be sufficient to reproduce the whole of tag2upload's output.)
+
+This .git.tar.xz is intended for third-party auditing of what tag2upload did.
+
+NOT YET AGREED: There is a script in dgit.git, called mini-tag-fsck, which
+takes the .git.tar.xz as input, and prints a list of all files in the tagged
+commit with their git checksums, by walking the Merkle tree whose head is the
+debian/VERSION signed git tag object, re-checksumming everything as it goes.
+XXXX include more detailed description of what it does in the script header
+
Emails
------
--
Sean Whitton
