v3 Debian source package formats

Manoj Srivastava srivasta at acm.org
Sat Oct 4 05:35:28 UTC 2008 

On Fri, Oct 03 2008, George Danchev wrote:

> On Thursday 02 October 2008 20:33:00 Manoj Srivastava wrote:
>> On Thu, Oct 02 2008, George Danchev wrote:
>> > Quoting Manoj Srivastava <srivasta at acm.org>:
>
> --cut--
>
>> > Nobody is comparing git with quilt, really. Obviously you are trying
>> > to compare different unit types as a result of muddle thinking. It is
>> > not git *or* quilt, but DVCS *and* some sort of patch series and I see
>> > LKML and git developers constantly performing that. So, forget about
>> > quilt and think of the least common multiple as an abstract change
>> > units every can inherit and extend.
>>
>>         Fine. Then I  posit that the best way to help people is to give
>>  them the same environment that I work with (preferred form of
>>  modification and all). This means putting in ./debian/topic a patchset
>>  for each pure featrue branch, that  is not serialized, so people can
>>  try out each fauture by itself, makes it easier for upstream or
>>  downstream to get a single  feature cherry picked.
>
> Now, that is something different, and if I understand correctly it is
> targetting 3.0 (git) format, that's fine.

        Actually, this is not targeting the 3.0 formats at all. I
 intend to start shipping my packages with version 1.0 format, and a
 ./debian/topics directory with patches corresponding to every pure
 feature branch I have.

> The best part is that the users will get your environement via the
> debian source package, i.e. what is officially released by Debian and
> what buildd's had been fed with, right ?

        Right. The diff.gz is what the buildd's are fed, each of the
 patchsets in ./debian/topic recreate exactly the feature branches used
 to develop the code, the orig.tar.gz is the upstream branch. So, just
 using the orig.ar.gz and each of these patches, one can exactly
 replicate the tip of all the branches in use.



> I can also see your effort to avoid serialization, since it somehow
> doesn't fit well enough in the distributed model.

        I don't think fit into the distributed model has anything to do
 with it.  I find serialized patches harder to read than pure feature
 patches. Also, I find it hard to try out just one feature if all the
 features are ordered and serialized; the features at the end of the
 chain are very hard to decipher.

        I am just making it easier for people to read the patches.

> However, I'm not exactly sure if users really need that since they
> will hardly intend to develop in parallel with you via the debian
> source package they just apt-get source'd, instead they would love to
> perform a mere audit test, i.e. how Debian patched a particular
> upstream version, when the simple patch series is enough.

        Well, given that it is not the distributed vs one-off mode that
 makes me dislike serialization, this bit is working off a an assumption
 that misconstrues my motives a bit. I am providing easier to read
 patches, allow people to concentrate on one feature at a time, and
 patch upstream with features independently.  Now, for non-audit
 purposes, this is just fine, since people can examine all changes made
 to upstream.

        For security audit, you still need to audit the source that was
 compiled; and that is represented by the diff.gz. Looking at a dozen or
 so patches (PAM had nearer two dozen at one point) can be hard, since
 an exploit can be broken into bits and innocuous bits be present in
 each patch, but combined, be a security leak. So you audit the
 integrated sources. The ./debian/topic stuff is already gives people a
 conceptual understanding of each features changes, and shoule be enough
 to explain the obscure bits of the diff.gz.

        I think I want the patch series to be more than that. I want my
 source packages to fully enable people in the free software community,
 wh like to see the code to try out variations, and try one or more
 feature on their own, I can then ship features that are not merged into
 the integration branch as too controversial, and people can try even
 these features if they wish.


>>         The diff.gz is then the integration branch, and produces the
>>  sources that the package was built from.
>>
>>         The one thing you lose is the serialization changes (the efort
>>  that is spent in serializing the features).
>
> OTOH, nothing stops the user-side to get their patch series back via
> `tg export --quilt' on the top of your 3.0 (git) package if needed, or
> am I missing something here ?

        No, they can, if ever we do get 3.0(git) accepted. I understand
 there is some resistance. I am also willing to use topgit, just so the
 branches may be serialized by anyone with access to the git repo, eve
 if I just end up using the persistent integration branch that tg
 creates; and not convert it into a quilt series in the source package.

        Mind you, 3.0 (git) does not support submodules, so I am
 unlikely to be able to use the 3.0 format as it exists.

> Given that, the main question is: do we really need to push all that
> distributed burden to the mortal user, when he merely needs to see
> (review/audit) divergencies from upstream -> a mere patch series will
> do, and will simplify the things.

        For me, it is simpler to generate the feature patches (no topgit
 needed) than it is to serialize them. And since I believe the
 unserialized patches are easier to read, and understand, and also allow
 people to try upstream + single feature more easily, allow upstream
 (or, for that matter, downstream) to grab a single feature directly, I
 think I'll stop at using topgit, so people who want to serialize can
 use topgit to do so, but I will prefer to ship the pure unserialized
 patches. 

> OTOH, if he really wants to develop in parallel with you or upstream
> developers he will jump thru all the hoops of the distributed model
> and will hardly depend on your DVCS-ready debian source
> package. Undoubtedly, from the debian developer point of view, users
> doing that via the debian source package (since it is a ready to go
> git repo) would be a pleasant surprise, but do all users-reviewers are
> ready to pay that price. I'm quite uncertain about that, and only time
> will tell, so I might be wrong.

        I am not providing the patches for audit purposes. I am
 providing the patches so people can see what features I have installed;
 even if they do not understand git. They can see each feature, and the
 integration of all (most?) of the features.

        Now, you seem to be coming at this from the code audit
 viewpoint, and not to trust the developer when they say these pure
 feature branches were put together into that integration branch. I
 think it is not unreasonable to ask people to audit the integration
 branch (diff.gz), using the feature branches (./debian/topic/featureX)
 to understand how the diff.gz is put together.

>
>>         Given the advantages (ability to checkout any feature
>>  independently, exact replication of the developers working
>>  environment), I am willing to fail on the linkage between feature
>>  branches and the integration branch being re-done on the fly during
>>  build.
>
> re-doing that build-time might be fragile, though I can't think of any 
> unexpected results right now, but seems to be doable.

        Hmm. I would be willing to use topgit just so people can
 serialize the branches, even if I am not shipping the serialized
 patches.

        manoj

-- 
Be careful!  UGLY strikes 9 out of 10!
Manoj Srivastava <srivasta at acm.org> <http://www.golden-gryphon.com/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

More information about the vcs-pkg-discuss mailing list