search

in-toto / apt-transport-in-toto

in-toto transport for apt
Other
8 stars 6 forks source link

Prepare downstream debian release 0.1.1-1 #29

Closed fepitre closed 3 years ago

fepitre commented 3 years ago

@lukpueh @h01ger : running lintian --info --pedantic --display-info $changes_file shows:

1) warning due to older log date entry with respect to debian compat. This can be something like this but as I'm not in the Uploaders fields lintian is popping warnings about that,

2) pedantic: apt-transport-in-toto: executable-in-usr-lib usr/lib/apt/methods/intoto. I doubt we can change that until apt is handling this location?

lukpueh commented 3 years ago

Thanks for the initiative, @fepitre!

warning due to older log date entry with respect to debian compat. This can be something like this but as I'm not in the Uploaders fields lintian is popping warnings about that,

Happy to add you to the Uploaders field. If you like, you can send another commit that does so.

pedantic: apt-transport-in-toto: executable-in-usr-lib usr/lib/apt/methods/intoto. I doubt we can change that until apt is handling this location?

Agreed. Seems like we have to live with that.

lukpueh commented 3 years ago

I think we can also pop Vagrant from the Uploader list, unless he still likes to be involved. (cc @vagrantc 👋 )

lukpueh commented 3 years ago

Oh and I just saw that we need to bump in-toto to 1.0.0 in Build-Depends and Depends in d/control, given the changes from #27.

h01ger commented 3 years ago

On Tue, Jan 26, 2021 at 05:51:03AM -0800, Frédéric Pierret wrote:

@lukpueh @h01ger : running lintian --info --pedantic --display-info $changes_file shows:

1) warning due to older log date entry with respect to debian compat. This can be something like this but as I'm not in the Uploaders fields lintian is popping warnings about that,

that can be ignored and will be fixed by the next upload anyway.

2) pedantic: apt-transport-in-toto: executable-in-usr-lib usr/lib/apt/methods/intoto. I doubt we can change that until apt is handling this location?

I guess so too and advice to ignore this for now.

if this is all in apt-transport-in-toto then i'm sorry for the noise and gently point in the direction of the dnf related packages ;)

-- cheers, Holger

⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄

In Europe there are people prosecuted by courts because they saved other people from drowning in the Mediterranean Sea. That is almost as absurd as if there were people being prosecuted because they save humans from drowning in the sea.

fepitre commented 3 years ago

@lukpueh what about like this? I'm not sure about good practices for git history/debian changelog to adopt? I've not removed @vagrantc.

h01ger commented 3 years ago

On Tue, Jan 26, 2021 at 06:59:01AM -0800, lukpueh wrote:

+apt-transport-in-toto (0.1.1) unstable; urgency=low

gah, I missed this when sponsoring :(

the next version number should be 0.1.1-1 (and the already uploaded one should have been 0.1.0-1 but I missed that.)

    • Update intoto.py to use securesystemslib
    • debian/control:
    • Bump standards version to 4.5.1
    • Add python3-securesystemslib in Depends Awesome, would you mind if we change this PR title to something like "Prepare 0.1.1 release" and change the base branch from debian to develop?

please push this to the debian branch ASAP, so I can upload this to NEW once I come back from a biking tour in an hour or two :)

-- cheers, Holger

⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄

If you own several guns but no guitars, you are doing life all wrong.

lukpueh commented 3 years ago

On Tue, Jan 26, 2021 at 06:59:01AM -0800, lukpueh wrote: +apt-transport-in-toto (0.1.1) unstable; urgency=low gah, I missed this when sponsoring :( the next version number should be 0.1.1-1 (and the already uploaded one should have been 0.1.0-1 but I missed that.)

Are you sure? We release this as native... https://github.com/in-toto/apt-transport-in-toto/blob/904332d6aafa9b974c7ae50625540fc8772298f5/debian/source/format#L1

... and I was under the impression that native packages don't have a Debian release number. At least that's what the Debian Mentors FAQ about native vs. non-native says.

fepitre commented 3 years ago

@lukpueh @h01ger here what I've done:

I've been able to build mentors branch using generated tag archive v0.1.1.

Waiting for your feedback :)

lukpueh commented 3 years ago

Waiting for your feedback :)

Just commented on your other PR (see https://github.com/in-toto/apt-transport-in-toto/pull/30#issuecomment-767662607)... So I suggest we:

fepitre commented 3 years ago 
* close #30,

Done.

* change the base of this PR to the default branch `develop` (`debian` branch has no special meaning in this repo, it was just the name of the topic branch in #26),

* rebase `fepitre:update260121` on top of the up-to-date upstream `develop`,

The two points are the same right?

* wait for Holger to make the call about "native and 0.1.1" or "quilt and 0.1.1-1" and adopt the PR accordingly,

* merge && tag and build && upload to mentors (in random order)

Yes wait for @h01ger's feedback.

lukpueh commented 3 years ago

The two points are the same right?

Nope. I meant:

  • change the base of this PR to the default branch develop

Tell GitHub to PR against develop instead of debian, like so https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/changing-the-base-branch-of-a-pull-request

  • rebase fepitre:update260121 on top of the up-to-date upstream develop,
git remote add upstream git@github.com:in-toto/apt-transport-in-toto.git
git checkout develop
git pull upstream develop
git checkout update260121
git rebase develop
git push origin update260121 -f # origin being https://github.com/fepitre/apt-transport-in-toto
fepitre commented 3 years ago

The two points are the same right?

Nope. I meant:

  • change the base of this PR to the default branch develop

Tell GitHub to PR against develop instead of debian, like so https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/changing-the-base-branch-of-a-pull-request

  • rebase fepitre:update260121 on top of the up-to-date upstream develop,
git remote add upstream git@github.com:in-toto/apt-transport-in-toto.git
git checkout develop
git pull upstream develop
git checkout update260121
git rebase develop
git push origin update260121 -f # origin being https://github.com/fepitre/apt-transport-in-toto

Yes sure :)

vagrantc commented 3 years ago

On 2021-01-26, lukpueh wrote:

I think we can also pop Vagrant from the Uploader list, unless he still likes to be involved. (cc @vagrantc 👋 )

As much as I would have liked to help more, I haven't had a chance to dive into in-toto, so sure, feel free to remove me.

live well, vagrant

lukpueh commented 3 years ago

Thanks for the heads-up, Vagrant. I am sure there will be other opportunities in the future to collaborate! :)

@fepitre, would you mind taking Vagrant off the Uploaders list as part of this PR?

lukpueh commented 3 years ago

Also, @h01ger, I just ticketized the other remaining task, i.e. signing the default layout (see https://github.com/in-toto/apt-transport-in-toto/issues/31). Let me know if you'd like to do this as part of 0.1.1 or hold it off for a later release. I'm fine either way and happy to assist.

h01ger commented 3 years ago

On Tue, Jan 26, 2021 at 08:06:05AM -0800, lukpueh wrote:

@@ -1 +1 @@ -3.0 (native) +3.0 (quilt)

What speaks against native? I felt like an apt transport was a good use case for native because it's unlikely to be used outside of Debian (or a Debian derivative),

precisely because it can be used in Debian and derivatives it should not be a native Debian package! and this is also why I dislike native packages: no gain, for much confusion.

apt-transport-in-toto release is at 0.1.1 debian does a -1 release/revision ubuntu does whatever modification on top, still based on the same orig.

with native packaging, this will result in three different orig.tar's for the same 0.1.1 release.

ok, wrong. (it's late.)

let's try again, correctly:

apt-transport-in-toto release is at 0.1.1 in debian ubuntu does whatever modification on top, calls it 0.1.1+ubuntu0

which results in 2 different orig.tar's for the same 0.1.1 release.

that's why I think there's no package which should be Debian native. there will always be a derivative doing what ever modification.

(and even if there is no derivative, like for src:debian-edu-artwork, it's really nice to upload a packaging fix with 4kb instead of uploading a 50 megabyte "new orig" version... been there, done/doing that.)

-- cheers, Holger

⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄

The greatest danger in times of turbulence is not the turbulence; it is to act with yesterdays logic. (Peter Drucker)

h01ger commented 3 years ago

On Tue, Jan 26, 2021 at 09:25:20AM -0800, lukpueh wrote:

Also, @h01ger, I just ticketized the other remaining task, i.e. signing the default layout (see https://github.com/in-toto/apt-transport-in-toto/issues/31). Let me know if you'd like to do this as part of 0.1.1 or hold it off for a later release. I'm fine either way and happy to assist.

I'll look tomorrow :) I'm glad there's a 0.1.1 release too! More soon! :)

-- cheers, Holger

⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄

lukpueh commented 3 years ago

Thanks for the detailed explanation about native vs. non-native, @h01ger! I should know better by now and stop questioning your Debian packaging expertise. :)

Just built an orig.tar.gz created from this PR and got the following lintian messages:

I can add a watch and upstream metadata file and push here, if you don't mind, @fepitre.

fepitre commented 3 years ago

@lukpueh sure no problem I'll not (force) push anything more except if you request it to me :)

lukpueh commented 3 years ago

@h01ger, another question regarding native vs. non-native:

Given that the release we are currently preparing here only changes debian/* files compared to 0.1.0, should there even be another upstream release? If not, then the release we are preparing here should probably be 0.1.0-2 and not 0.1.1-1, right?

fepitre commented 3 years ago

@h01ger, another question regarding native vs. non-native:

Given that the release we are currently preparing here only changes debian/* files compared to 0.1.0, should there even be another upstream release? If not, then the release we are preparing here should probably be 0.1.0-2 and not 0.1.1-1, right?

Waiting for @h01ger's answer, from my humble opinion I would say yes if you consider my latest updates (use securesystemlibs etc) to be part of 0.1.0 release.

h01ger commented 3 years ago

On Wed, Jan 27, 2021 at 02:54:23AM -0800, lukpueh wrote:

@h01ger, another question regarding native vs. non-native:

Given that the release we are currently preparing here only changes debian/* files compared to 0.1.0, should there even be another upstream release? If not, then the release we are preparing here should probably be 0.1.0-2 and not 0.1.1-1, right?

best if there would be another upstream release, because 0.1.0.orig.tar.gz has already been uploaded to NEW, so we need something else (as one cannot replace files in the archive), eg 0.1.1 Or we could rename 0.1.0.orig.tar.gz to 0.1.0+fixup0.orig.tar.gz and upload that, but I would prefer 0.1.1 but 0.1.0+fixup0 is also fine, there will be 0.1.1 eventually anyway.

just add some explaination about root.layout or improve the README a bit or some such ;)

-- cheers, Holger

⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄

„If you don't like vaccination, try the disease.“ (Herwig Kollaritsch)

h01ger commented 3 years ago

0.1.0.1 or 0.1.0a could also be used instead of 0.1.0+fixup0...

naming things, such fun! :)

-- cheers, Holger

⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄

Dance like no one's watching. Encrypt like everyone is.

lukpueh commented 3 years ago

Haha, okay I'll just prepare an 0.1.1 upstream release in a separate PR. And we use this PR to prepare downstream 0.1.1-1.

lukpueh commented 3 years ago

So I've prepared a very basic 0.1.1 upstream release in #32 for the reasons outlined by Holger in https://github.com/in-toto/apt-transport-in-toto/pull/29#issuecomment-768210307. Once that's merged (we still have to decide on some technicalities, see https://github.com/in-toto/apt-transport-in-toto/pull/32#issuecomment-768286479), I can publish the upstream 0.1.1 release, and we finalize the downstream 0.1.1-1 here.

h01ger commented 3 years ago

On Wed, Jan 27, 2021 at 05:51:26AM -0800, lukpueh wrote:

So I've prepared a very basic 0.1.1 upstream release in #32 for the reasons outlined by Holger in https://github.com/in-toto/apt-transport-in-toto/pull/29#issuecomment-768210307. Once that's merged (we still have to decide on some technicalities, see https://github.com/in-toto/apt-transport-in-toto/pull/32#issuecomment-768286479), I can publish the upstream 0.1.1 release, and we finalize the downstream 0.1.1-1 here.

I think you can do the 0.1.1 release assuming/as if apt-transport-in-toto already has made it out of NEW...

-- cheers, Holger

⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄

Stop saying that we are all in the same boat. We’re all in the same storm. But we’re not all in the same boat.

lukpueh commented 3 years ago

There we go: https://github.com/in-toto/apt-transport-in-toto/releases/tag/v0.1.1

@fepitre, do you want to build v0.1.1-1 based on the new upstream release and the updated d/* files here in #29, and upload it to mentors?

fepitre commented 3 years ago

There we go: https://github.com/in-toto/apt-transport-in-toto/releases/tag/v0.1.1

@fepitre, do you want to build v0.1.1-1 based on the new upstream release and the updated d/* files here in #29, and upload it to mentors?

Sure I'll do it now.

fepitre commented 3 years ago

@lukpueh the build is not happy:

dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building apt-transport-in-toto using existing ./apt-transport-in-toto_0.1.1.orig.tar.gz
dpkg-source: warning: upstream signing key but no upstream tarball signature
dpkg-source: warning: ignoring deletion of file CHANGELOG.md, use --include-removal to override
dpkg-source: info: local changes detected, the modified files are:
 apt-transport-in-toto/README.md
dpkg-source: info: you can integrate the local changes with dpkg-source --commit
dpkg-source: error: aborting due to unexpected upstream changes, see /tmp/apt-transport-in-toto_0.1.1-1.diff.cHeOu0
dpkg-buildpackage: error: dpkg-source -b . subprocess returned exit status 2

I'm on this current branch #29 where I've cleaned properly local folder and ran uscan to get sources and trying to dpkg-buildpackage. Is this because of REAME diff?

fepitre commented 3 years ago

@lukpueh I've synced the diff. Is it fine?

fepitre commented 3 years ago

@lukpueh I think you have edited my previous comment :) And yes I've downloaded both archive and .asc file. We are good with my commit: https://gist.github.com/fepitre/02950fac4e90fa4e74730b850eb82475

lukpueh commented 3 years ago

@lukpueh I think you have edited my previous comment :) And yes I've downloaded both archive and .asc file.

haha, sorry. I meant to quote. Let me revert.

lukpueh commented 3 years ago

@lukpueh I've synced the diff. Is it fine?

It looks fine, but instead of committing the changes from develop here, I'd probably just rebase this branch on upstream develop.

fepitre commented 3 years ago

@lukpueh I've synced the diff. Is it fine?

It looks fine, but instead of committing the changes from develop here, I'd probably just rebase this branch on upstream develop.

Yes that is better. Would you like me to do it?

fepitre commented 3 years ago

Hi there: https://mentors.debian.net/package/apt-transport-in-toto/

lukpueh commented 3 years ago

Lintian complains about watch not checking for upstream signature, see https://github.com/in-toto/apt-transport-in-toto/pull/29#discussion_r565308826.

fepitre commented 3 years ago

Lintian complains about watch not checking for upstream signature, see #29 (comment).

Yes I see that. I can try to fix this.

lukpueh commented 3 years ago

Yes I see that. I can try to fix this.

Awesome, thanks! I just pushed a commit that fixed another easy-to-fix QA info. Will sign off for today. Feel free to push another build to mentors!

fepitre commented 3 years ago

@lukpueh Uploaded to mentors and @h01ger has uploaded it to ftp master! I think you can merge this PR! \o/

lukpueh commented 3 years ago

You guys rock! :) Thanks for your help, @fepitre and @h01ger!

I can merge this and also git reset --hard the upstream debian branch to it, now that we have dedicated it to tracking downstream release metadata changes... https://github.com/in-toto/apt-transport-in-toto/blob/c2892e50edccb362de24e498aaae68cc733f394b/debian/control#L25