Closed fepitre closed 3 years ago
Thanks for the initiative, @fepitre!
warning due to older log date entry with respect to debian compat. This can be something like this but as I'm not in the Uploaders fields lintian is popping warnings about that,
Happy to add you to the Uploaders field. If you like, you can send another commit that does so.
pedantic: apt-transport-in-toto: executable-in-usr-lib usr/lib/apt/methods/intoto. I doubt we can change that until apt is handling this location?
Agreed. Seems like we have to live with that.
I think we can also pop Vagrant from the Uploader list, unless he still likes to be involved. (cc @vagrantc 👋 )
Oh and I just saw that we need to bump in-toto to 1.0.0 in Build-Depends and Depends in d/control, given the changes from #27.
On Tue, Jan 26, 2021 at 05:51:03AM -0800, Frédéric Pierret wrote:
@lukpueh @h01ger : running
lintian --info --pedantic --display-info $changes_file
shows:1) warning due to older log date entry with respect to debian compat. This can be something like this but as I'm not in the Uploaders fields lintian is popping warnings about that,
that can be ignored and will be fixed by the next upload anyway.
2) pedantic: apt-transport-in-toto: executable-in-usr-lib usr/lib/apt/methods/intoto. I doubt we can change that until
apt
is handling this location?
I guess so too and advice to ignore this for now.
if this is all in apt-transport-in-toto then i'm sorry for the noise and gently point in the direction of the dnf related packages ;)
-- cheers, Holger
⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄
In Europe there are people prosecuted by courts because they saved other people from drowning in the Mediterranean Sea. That is almost as absurd as if there were people being prosecuted because they save humans from drowning in the sea.
@lukpueh what about like this? I'm not sure about good practices for git history/debian changelog to adopt? I've not removed @vagrantc.
On Tue, Jan 26, 2021 at 06:59:01AM -0800, lukpueh wrote:
+apt-transport-in-toto (0.1.1) unstable; urgency=low
gah, I missed this when sponsoring :(
the next version number should be 0.1.1-1 (and the already uploaded one should have been 0.1.0-1 but I missed that.)
- Update intoto.py to use
securesystemslib
- debian/control:
- Bump standards version to 4.5.1
- Add python3-securesystemslib in Depends Awesome, would you mind if we change this PR title to something like "Prepare 0.1.1 release" and change the base branch from
debian
todevelop
?
please push this to the debian branch ASAP, so I can upload this to NEW once I come back from a biking tour in an hour or two :)
-- cheers, Holger
⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄
If you own several guns but no guitars, you are doing life all wrong.
On Tue, Jan 26, 2021 at 06:59:01AM -0800, lukpueh wrote: +apt-transport-in-toto (0.1.1) unstable; urgency=low gah, I missed this when sponsoring :( the next version number should be 0.1.1-1 (and the already uploaded one should have been 0.1.0-1 but I missed that.)
Are you sure? We release this as native... https://github.com/in-toto/apt-transport-in-toto/blob/904332d6aafa9b974c7ae50625540fc8772298f5/debian/source/format#L1
... and I was under the impression that native packages don't have a Debian release number. At least that's what the Debian Mentors FAQ about native vs. non-native says.
@lukpueh @h01ger here what I've done:
develop
branch: https://github.com/in-toto/apt-transport-in-toto/pull/30 with signed tag v0.1.1
mentors
branch https://github.com/fepitre/apt-transport-in-toto/tree/mentors where I rebased current #29 PR on top of #30.I've been able to build mentors
branch using generated tag archive v0.1.1
.
Waiting for your feedback :)
Waiting for your feedback :)
Just commented on your other PR (see https://github.com/in-toto/apt-transport-in-toto/pull/30#issuecomment-767662607)... So I suggest we:
develop
(debian
branch has no special meaning in this repo, it was just the name of the topic branch in #26),fepitre:update260121
on top of the up-to-date upstream develop
,* close #30,
Done.
* change the base of this PR to the default branch `develop` (`debian` branch has no special meaning in this repo, it was just the name of the topic branch in #26), * rebase `fepitre:update260121` on top of the up-to-date upstream `develop`,
The two points are the same right?
* wait for Holger to make the call about "native and 0.1.1" or "quilt and 0.1.1-1" and adopt the PR accordingly, * merge && tag and build && upload to mentors (in random order)
Yes wait for @h01ger's feedback.
The two points are the same right?
Nope. I meant:
- change the base of this PR to the default branch
develop
Tell GitHub to PR against develop
instead of debian
, like so https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/changing-the-base-branch-of-a-pull-request
- rebase
fepitre:update260121
on top of the up-to-date upstreamdevelop
,
git remote add upstream git@github.com:in-toto/apt-transport-in-toto.git
git checkout develop
git pull upstream develop
git checkout update260121
git rebase develop
git push origin update260121 -f # origin being https://github.com/fepitre/apt-transport-in-toto
The two points are the same right?
Nope. I meant:
- change the base of this PR to the default branch
develop
Tell GitHub to PR against
develop
instead ofdebian
, like so https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/changing-the-base-branch-of-a-pull-request
- rebase
fepitre:update260121
on top of the up-to-date upstreamdevelop
,git remote add upstream git@github.com:in-toto/apt-transport-in-toto.git git checkout develop git pull upstream develop git checkout update260121 git rebase develop git push origin update260121 -f # origin being https://github.com/fepitre/apt-transport-in-toto
Yes sure :)
On 2021-01-26, lukpueh wrote:
I think we can also pop Vagrant from the Uploader list, unless he still likes to be involved. (cc @vagrantc 👋 )
As much as I would have liked to help more, I haven't had a chance to dive into in-toto, so sure, feel free to remove me.
live well, vagrant
Thanks for the heads-up, Vagrant. I am sure there will be other opportunities in the future to collaborate! :)
@fepitre, would you mind taking Vagrant off the Uploaders list as part of this PR?
Also, @h01ger, I just ticketized the other remaining task, i.e. signing the default layout (see https://github.com/in-toto/apt-transport-in-toto/issues/31). Let me know if you'd like to do this as part of 0.1.1 or hold it off for a later release. I'm fine either way and happy to assist.
On Tue, Jan 26, 2021 at 08:06:05AM -0800, lukpueh wrote:
@@ -1 +1 @@ -3.0 (native) +3.0 (quilt)
What speaks against native? I felt like an apt transport was a good use case for native because it's unlikely to be used outside of Debian (or a Debian derivative),
precisely because it can be used in Debian and derivatives it should not be a native Debian package! and this is also why I dislike native packages: no gain, for much confusion.
apt-transport-in-toto release is at 0.1.1 debian does a -1 release/revision ubuntu does whatever modification on top, still based on the same orig.
with native packaging, this will result in three different orig.tar's for the same 0.1.1 release.
ok, wrong. (it's late.)
let's try again, correctly:
apt-transport-in-toto release is at 0.1.1 in debian ubuntu does whatever modification on top, calls it 0.1.1+ubuntu0
which results in 2 different orig.tar's for the same 0.1.1 release.
that's why I think there's no package which should be Debian native. there will always be a derivative doing what ever modification.
(and even if there is no derivative, like for src:debian-edu-artwork, it's really nice to upload a packaging fix with 4kb instead of uploading a 50 megabyte "new orig" version... been there, done/doing that.)
-- cheers, Holger
⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄
The greatest danger in times of turbulence is not the turbulence; it is to act with yesterdays logic. (Peter Drucker)
On Tue, Jan 26, 2021 at 09:25:20AM -0800, lukpueh wrote:
Also, @h01ger, I just ticketized the other remaining task, i.e. signing the default layout (see https://github.com/in-toto/apt-transport-in-toto/issues/31). Let me know if you'd like to do this as part of 0.1.1 or hold it off for a later release. I'm fine either way and happy to assist.
I'll look tomorrow :) I'm glad there's a 0.1.1 release too! More soon! :)
-- cheers, Holger
⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄
Thanks for the detailed explanation about native vs. non-native, @h01ger! I should know better by now and stop questioning your Debian packaging expertise. :)
Just built an orig.tar.gz created from this PR and got the following lintian messages:
I can add a watch and upstream metadata file and push here, if you don't mind, @fepitre.
@lukpueh sure no problem I'll not (force) push anything more except if you request it to me :)
@h01ger, another question regarding native vs. non-native:
Given that the release we are currently preparing here only changes debian/* files compared to 0.1.0, should there even be another upstream release? If not, then the release we are preparing here should probably be 0.1.0-2 and not 0.1.1-1, right?
@h01ger, another question regarding native vs. non-native:
Given that the release we are currently preparing here only changes debian/* files compared to 0.1.0, should there even be another upstream release? If not, then the release we are preparing here should probably be 0.1.0-2 and not 0.1.1-1, right?
Waiting for @h01ger's answer, from my humble opinion I would say yes if you consider my latest updates (use securesystemlibs
etc) to be part of 0.1.0 release.
On Wed, Jan 27, 2021 at 02:54:23AM -0800, lukpueh wrote:
@h01ger, another question regarding native vs. non-native:
Given that the release we are currently preparing here only changes debian/* files compared to 0.1.0, should there even be another upstream release? If not, then the release we are preparing here should probably be 0.1.0-2 and not 0.1.1-1, right?
best if there would be another upstream release, because 0.1.0.orig.tar.gz has already been uploaded to NEW, so we need something else (as one cannot replace files in the archive), eg 0.1.1 Or we could rename 0.1.0.orig.tar.gz to 0.1.0+fixup0.orig.tar.gz and upload that, but I would prefer 0.1.1 but 0.1.0+fixup0 is also fine, there will be 0.1.1 eventually anyway.
just add some explaination about root.layout or improve the README a bit or some such ;)
-- cheers, Holger
⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄
„If you don't like vaccination, try the disease.“ (Herwig Kollaritsch)
0.1.0.1 or 0.1.0a could also be used instead of 0.1.0+fixup0...
naming things, such fun! :)
-- cheers, Holger
⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄
Dance like no one's watching. Encrypt like everyone is.
Haha, okay I'll just prepare an 0.1.1 upstream release in a separate PR. And we use this PR to prepare downstream 0.1.1-1.
So I've prepared a very basic 0.1.1 upstream release in #32 for the reasons outlined by Holger in https://github.com/in-toto/apt-transport-in-toto/pull/29#issuecomment-768210307. Once that's merged (we still have to decide on some technicalities, see https://github.com/in-toto/apt-transport-in-toto/pull/32#issuecomment-768286479), I can publish the upstream 0.1.1 release, and we finalize the downstream 0.1.1-1 here.
On Wed, Jan 27, 2021 at 05:51:26AM -0800, lukpueh wrote:
So I've prepared a very basic 0.1.1 upstream release in #32 for the reasons outlined by Holger in https://github.com/in-toto/apt-transport-in-toto/pull/29#issuecomment-768210307. Once that's merged (we still have to decide on some technicalities, see https://github.com/in-toto/apt-transport-in-toto/pull/32#issuecomment-768286479), I can publish the upstream 0.1.1 release, and we finalize the downstream 0.1.1-1 here.
I think you can do the 0.1.1 release assuming/as if apt-transport-in-toto already has made it out of NEW...
-- cheers, Holger
⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄
Stop saying that we are all in the same boat. We’re all in the same storm. But we’re not all in the same boat.
There we go: https://github.com/in-toto/apt-transport-in-toto/releases/tag/v0.1.1
@fepitre, do you want to build v0.1.1-1 based on the new upstream release and the updated d/* files here in #29, and upload it to mentors?
There we go: https://github.com/in-toto/apt-transport-in-toto/releases/tag/v0.1.1
@fepitre, do you want to build v0.1.1-1 based on the new upstream release and the updated d/* files here in #29, and upload it to mentors?
Sure I'll do it now.
@lukpueh the build is not happy:
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building apt-transport-in-toto using existing ./apt-transport-in-toto_0.1.1.orig.tar.gz
dpkg-source: warning: upstream signing key but no upstream tarball signature
dpkg-source: warning: ignoring deletion of file CHANGELOG.md, use --include-removal to override
dpkg-source: info: local changes detected, the modified files are:
apt-transport-in-toto/README.md
dpkg-source: info: you can integrate the local changes with dpkg-source --commit
dpkg-source: error: aborting due to unexpected upstream changes, see /tmp/apt-transport-in-toto_0.1.1-1.diff.cHeOu0
dpkg-buildpackage: error: dpkg-source -b . subprocess returned exit status 2
I'm on this current branch #29 where I've cleaned properly local folder and ran uscan to get sources and trying to dpkg-buildpackage. Is this because of REAME diff?
@lukpueh I've synced the diff. Is it fine?
@lukpueh I think you have edited my previous comment :) And yes I've downloaded both archive and .asc file. We are good with my commit: https://gist.github.com/fepitre/02950fac4e90fa4e74730b850eb82475
@lukpueh I think you have edited my previous comment :) And yes I've downloaded both archive and .asc file.
haha, sorry. I meant to quote. Let me revert.
@lukpueh I've synced the diff. Is it fine?
It looks fine, but instead of committing the changes from develop here, I'd probably just rebase this branch on upstream develop.
@lukpueh I've synced the diff. Is it fine?
It looks fine, but instead of committing the changes from develop here, I'd probably just rebase this branch on upstream develop.
Yes that is better. Would you like me to do it?
Lintian complains about watch
not checking for upstream signature, see https://github.com/in-toto/apt-transport-in-toto/pull/29#discussion_r565308826.
Lintian complains about
watch
not checking for upstream signature, see #29 (comment).
Yes I see that. I can try to fix this.
Yes I see that. I can try to fix this.
Awesome, thanks! I just pushed a commit that fixed another easy-to-fix QA info. Will sign off for today. Feel free to push another build to mentors!
@lukpueh Uploaded to mentors and @h01ger has uploaded it to ftp master! I think you can merge this PR! \o/
You guys rock! :) Thanks for your help, @fepitre and @h01ger!
I can merge this and also git reset --hard
the upstream debian
branch to it, now that we have dedicated it to tracking downstream release metadata changes...
https://github.com/in-toto/apt-transport-in-toto/blob/c2892e50edccb362de24e498aaae68cc733f394b/debian/control#L25
@lukpueh @h01ger : running
lintian --info --pedantic --display-info $changes_file
shows:1) warning due to older log date entry with respect to debian compat. This can be something like this but as I'm not in the Uploaders fields lintian is popping warnings about that,
2) pedantic: apt-transport-in-toto: executable-in-usr-lib usr/lib/apt/methods/intoto. I doubt we can change that until
apt
is handling this location?