Hi,
On Thu, Feb 12, 2026 at 12:42:22PM +0000, Colin Watson wrote:
On Thu, Feb 12, 2026 at 12:25:23PM +0100, Marc Haber wrote:
On Thu, Feb 12, 2026 at 01:26:52AM +0000, Colin Watson wrote:
Well, for my own packages I insist on including upstream git
history, so this certainly wasn't my choice, and it was before my
time on the DPT.
Whlie we are talking about this topic: Many packages have
un-autoconfed sources in their git master, then tag a release, run
autoreconf (optionally setting a version number) on the tree and
packagee that up as their release tarball. Thus, we have the release
tag pointing to different content than what is in the release tarball.
While I do understand that this is the exact workflow that allowed the
xz-attack to happen, this is still the reality especially for pakages
on "Zugschlus' scrap shelf".
How would I:
- convert such a package to have the upstream git history in salsa's
main branch
- still be able to do an upload with upstream's signed origtargz
- probably even have upstream git history in git log of debian/latest?
Using "gbp import-orig --upstream-vcs-tag" [1] for the next new release
you import from upstream takes care of this. If you use that, then your
git history will look something like this. I've used ASCII art similar
to tig's main view, which I hope will make sense even to people who
aren't regular users of tig:
. [debian/latest] Update upstream source from tag 'upstream/1.1.0'
|\
| . [upstream/latest] <upstream/1.1.0> New upstream version 1.1.0
| |\
| | . <1.1.0> Prepare 1.1.0 release
| | |
| | . [more upstream commits here]
| | |
. | | Update upstream source from tag 'upstream/1.0.0'
|\| |
| . | <upstream/1.0.0> New upstream version 1.0.0
I tried that for aide with this debian/watch file:
Version: 5
Source: https://api.github.com/repos/@PACKAGE@/@PACKAGE@/releases
Matching-Pattern:
https://github.com/@PACKAGE@/@PACKAGE@/releases/download/v[0-9\.]+/@PACKAGE@-@SEMANTIC_VERSION@@ARCHIVE_EXT@
Search-Mode: plain
Pgpmode: auto
aide is one of those packages where the release tag is set, the
resulting tree gets autoreconfed and the result tarred up and signed,
without the autorconf artifacts getting committed. The first mistake I
did last time I tried was using the GitHub template, which uses the API
to synthesize a tarball from the tree the release tag points to. That
one is only half the size of the official tarball and the result
obviously doesn't work.
The result is (pushed to salsa zugschlus/aide):
* cb6a51cb (HEAD -> debian/latest) Update upstream source from tag 'upstream/>
|\
| * 352d732d (tag: upstream/0.19.3, upstream/latest) New upstream version 0.1>
| |\
| | * 2278f6b4 (tag: v0.19.3, upstreamvcs/v0.19.x) Release aide 0.19.3
| | * 170ca5f7 Add aide 0.19.3 NEWS section
| | * 90a5e577 Record 021de3b in ChangeLog
| | * 3f84dccb Fix st_rdev handling
| | * 1bd4de89 Fix typos in README, NEWS and aide.conf.5
<snip all upstream commits up to the very beginning>
| | * da43920d Removed several semi-colons
| | * beb98ca7 Fixes for improper modifications of va_list
| | * 2e842546 (tag: cs.tut.fi.import) updated something
| | * 6a376bd0 updated TODO list
| | * 31daac41 added comment to ustat handling
| | * bcf57b1d Initial revision
* | 30e514f5 debian/watch to pull intended tarball from upstream
* | 41461514 (origin/debian/latest, origin/HEAD, origin) update debian/watch to>
* | f1e06405 add debian/gbp.conf
* | 4d9e0434 Switch Build-Depends-Arch from libselinux1-dev to libselinux-dev
* | 50f95d03 Bump to Standards-Version 4.7.3
* | 5dc3cb18 Drop "Priority: optional"
* | 35044561 (tag: debian/0.19.2-3) prepare release
* | 47f0078d prepare changelog
* | 2ec51c13 fix implementation of build-cache
* | 7fc96d6b improve rule: 31_aide_samba
* | a77c6393 new rule: 31_aide_xfsprogs
And indeed the 352d732d is a merge commit that also has a diff, which
seems to represent the difference between the original tarball, and the
result of gbp buildpackage contains the original tarball that fits the
upstream signature.
I think the puzzle begins to get clearer. Thank you very much.
... and so on. That is, the actual upstream tag will be an additional
parent of the commit on your "upstream/latest" (or whatever) branch.
The commits that are "directly" on your upstream/latest branch will have
trees that are identical to the unpacked release tarballs. In the
example above, the diff between the commits I've identified as <1.1.0>
and <upstream/1.1.0> should be equivalent to the effect of running
"autoreconf" or "make dist" or whatever upstream do to make their
release tarballs.
Thank you. I think I have understood.
That will solve the issue for what we have TODAY, for future upstream
versions.
The monk in me would like to rebuild the full repository that way,
retroactivly joining the past release tags that are now in the
repository with the points in the past when gbp import-orig
--pristine-tar /path/to/tarball was called on a release tarball.
Has this ever been done, or is it just too much work?
In Theory, the way would probably be:
rename debian/* (tags and branches) to debian-legacy/*
obtain old upstream release tarballs (from Debian proper, from s.d.o, or
from Upstream), sort in ascending order
pick first relese tarball t
find version v of release tarball t
branch off upstream/latest from upstreamvcs' release tag v
branch off debian/latest
check out debian directory from debian-legacy/v
commit
loop:
gbp --import-orig t (this should create upstream/v)
pop release tarball list
get new first release tarball t
remember old version v as v(old)
find new version v of release tarball t
git cherry-pick debian-legacy/v(old)..debian-legacy/v^
git tag debian/v(old)
verify that debian/v(old) is tree-identical to debian-legacy/v(old)
somehow do what uscan --upstream-release-tag does for v
next loop
I think the thing that keeps me from trying is that I don't know what
uscan --upstream-release-tag does for a given v, and whether this also
works when this v is not the latest one.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
