Skip to content

Conversation

@ottok
Copy link
Contributor

@ottok ottok commented Feb 18, 2025

When creating a new package, populate the git-buildpackage with additional configs and in-line comments on why and how to use them. This will make go packaging easier, more consistent and more secure as the best practices flow to all packages via good defaults.

Also add comment to explain why pristine-tar is beneficial.

template.go Outdated
if pristineTar {
fmt.Fprintf(f, "pristine-tar = True\n")
fmt.Fprintf(f, `
# Always use pristine tar to improve supply chain security and auditability
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't agree with this statement, and that it improves security. pristine-tar is a hack, and the team policy to reject its use is the correct one, we should be removing all of its usage across the team not encouraging it again. This wording tries to give it a positive side which it does not have.

If a comment needs to be added, then it should spell the team policy and that pristine-tar is problematic and should be avoided.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pristine-tar is not a hack. If you claim that it is bad, you should present some evidence, and then we can assess if it is compelling. In https://salsa.debian.org/go-team/go-team.pages.debian.net/-/merge_requests/7#note_574266 I already asked for this, and you just provided a link to a comment in a bug report that is 10+ years old.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I already presented references, rationale, and arguments why this is bad, but you keep latching on that comment as if this was the only thing presented, and as if was some stale thing that has somehow decayed by time, where time itself has somehow changed its design. And as mentioned on that other thread, that's a comment from the original developer and designer of the tool itself.

But in any case this is not how things work, you are the one approaching a team with an established policy and workflow, where you want to change it (after having just joined!), so the onus is on you to prove whether all the flaws in its design have changed at all since its inception (they have not). So I'm finding your comment about requiring evidence so that "we can assess if it is compelling" (so trying to invert the onus), while having conveniently dismissed all the previous discussion, to be rather rude.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please stop using ad hominem arguments here and in your other comments elsewhere. The merits of using pristine-tar can fully be debated on its own without having to resort to ad hominem arguments about who is suggesting it.

I have been using pristine-tar on numerous packages for many years and it works well. The man page is not stating it is a hack or discouraging it's use. It does it's job, allows one to run gbp clone of a repo when reviewing changes and building, and it is very space efficient. In the Debian packaging world where we require the package sources to include the upstream source, pristine-tar serves its purpose well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anyway, this is not making pristine-tar default, it is just adding an inline comment if pristine-tar was used.

# will always build using the currently checked out branch as the Debian branch.
# This makes it easier for contributors to work with feature and bugfix
# branches.
ignore-branch = True
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also goes against the current team workflow, and tries to sneak it in and encourage using debian/latest which I've already argued (see debian-devel for example), is a bad default in the Debian context. Introducing yet a different workflow in the team when we should be consolidating on the existing one, would make working on the go packages more painful.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ignore-branch = True is simply a flag to make it easier to build branches with various names, for example using name bugfix/123456-arm64-build-error. It has nothing to do with debian/latest. It is very common for people to use multiple different branch names for bugfixes and features, and submit those branches as Merge Requests on Salsa. Once merged, the branch can be deleted.

# upstream released and what was imported into Debian.
#
# Most Go packages have tags of form 'v1.0.0'
upstream-vcs-tag = v%(version%~%-)s
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The upstream/latest branch name is not what the team workflow has agreed to, please remove that part.

Otherwise I think this change is fine, but given that I don't think it might be universally followed by upstreams, maybe it should be marked with a FIXME, and/or commented out by default.

I'd end the last sentence with a dot though.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO is used elsewhere in these templates so we should use that instead of FIXME. But I agree that a TODO comment recommending to verify that it is correct would be good.

Maybe also this line should be commented if we detect that there are no tags yet (the same way it is done in the watch file).

#
# Most Go packages don't publish signatures for the tarball releases, so this is
# not enabled by default.
#upstream-signatures = on
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a good change, and commenting it out by default seems like the safest option, indeed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For full benefits of signature checking we also need to use pristine-tar that allows bit-for-bit identical tarballs and thus signature checking for tracing the source code supply-chain.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Err, no. The tarball does not need to be stored in pristine-tar at all for the signatures to be useful. The tarball along their signatures are going to be stored in the archive, tied with the uploader signature and handed over to the archive signatures later on, there's full traceability of all this in place already.

ottok added a commit to ottok/dh-make-golang that referenced this pull request May 14, 2025
ottok added a commit to ottok/dh-make-golang that referenced this pull request May 14, 2025
@ottok ottok force-pushed the fix-gbp-conf-docs branch from 9049c4a to 5eaf8c3 Compare May 15, 2025 19:35
ottok added a commit to ottok/dh-make-golang that referenced this pull request May 15, 2025
@ottok ottok requested a review from n-peugnet July 27, 2025 18:43
When creating a new package, populate the git-buildpackage with additional
configs and in-line comments on why and how to use them. This will make
go packaging easier, more consistent and more secure as the best practices
flow to all packages via good defaults.

Contents is in line with the template used by `dh-make` version 2.202503.
@ottok ottok force-pushed the fix-gbp-conf-docs branch from 5eaf8c3 to c6fdafd Compare August 20, 2025 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants