[Debian-salsa-ci] Repacking source package files in Salsa-CI
James Addison
jay at jp-hosting.net
Thu Jan 8 12:59:08 GMT 2026
On Tue, 6 Jan 2026 at 18:01, Otto Kekäläinen <otto at debian.org> wrote:
>
> Hi!
>
> > Unfortunately upstream here does not provide tagged git versions or
> > tarballs - we only have the individual commits to work from. As far
> > as I am aware, gbp import-orig is not compatible with that kind of
> > workflow.
>
> In that case you can look at
> https://salsa.debian.org/go-team/packages/ratt/-/tree/debian/latest/debian
> for example of how I've done it. The debian/watch file simply points
> to the upstream git HEAD, and the debian/gbp.conf has this note:
>
> # Ratt has no tags or releases at https://github.com/Debian/ratt
> # Instead, merge latest commit from 'master' on 'upstream' and tag it
> # as the imported version
> #upstream-vcs-tag = v%(version%~%-)s
>
> If upstream does not do any releases, there are no security features
> to use (detached signatures nor signed git tags) so audit trail is
> inevitably going to be weak, but you should still be able to use `gbp
> import-orig --uscan` that runs `uscan` and applies the
> debian/copyright:Files-Excluded` automatically.
>
> i am not sure about all the details, I haven't done a package with no
> releases _and_ repacking in the same combo. In general though I
> recommend sticking to a workflow where simply running `gbp import-orig
> --uscan` works as the more you have manual fiddling in the import, the
> less likely it will be that the next person or you yourself in a year
> from now are able to keep the package uniform and repeat the exact
> same way of importing.
Thanks again Otto.
If I understand this correctly: I should be able to rework the
packaging so that the git sources are imported into a source tarball
(sans Files-Excluded content) from upstream HEAD by uscan, and -- from
what I follow of the uscan documentation -- that process can also add
the appropriate year-month-day + git commit ID to the changelog. The
changelog/packaging naming has so far been a process I've followed
manually, so using uscan instead would be much simpler, more
repeatable, less error-prone, and also solve the Files-Excluded
repacking problem.
I'll think about whether there is anything I could do in addition to
mitigate the security/provenance question. Provided that the filtered
tarball is pushed to a git branch in Salsa, and that the changelog
entries have a timestamp and a sufficiently-long git SHA prefix, I
figure it's not terrible -- but maybe there are some other simple
safety mechanisms that could prevent basic problems and/or add
integrity.
James
More information about the Debian-salsa-ci
mailing list