export-orig: Add `uscan -d` mechanism
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
git-ubuntu |
New
|
Wishlist
|
Unassigned |
Bug Description
Git ubuntu's build.fetch_orig() routine iterates through a set of different mechanisms to try and obtain an upstream tarball for the current branch. However, in some cases all these options may unfortunately fail.
What I've been doing in these cases is to fallback to using `uscan -dd`. This relies on debian/watch, which is far from guaranteed to work, nor guaranteed to obtain the correct tarball version. Despite the caveats, my anecdotal experience has been good.
The idea I've had in mind is to add this as a last option for build.fetch_orig(), implemented as a routine in build.py named something like fetch_orig_
There's a few things I'm not sure about. First, what are the security implications of relying on this downloading random bits from the internet? Second, if upstream has releases up to 1.2, but we only have 1.0, and actually want 1.1, is there a way to hint uscan to grab the 1.1 tarball? And third, a lot of upstreams also publish hashsums of their tarballs for validation; is there a way to leverage these for validation?
Changed in usd-importer: | |
importance: | Undecided → Wishlist |
summary: |
- export-orig: Add `uscan -dd` mechanism + export-orig: Add `uscan -d` mechanism |
tags: | added: export-orig |
On Thu, Jul 08, 2021 at 10:07:12PM -0000, Bryce Harrington wrote:
> There's a few things I'm not sure about. First, what are the security
> implications of relying on this downloading random bits from the
> internet? Second, if upstream has releases up to 1.2, but we only have
> 1.0, and actually want 1.1, is there a way to hint uscan to grab the 1.1
> tarball? And third, a lot of upstreams also publish hashsums of their
> tarballs for validation; is there a way to leverage these for
> validation?
GPG validation is supported by uscan if a key is available in upstream/ signing- key.asc. There may be other mechanisms as well.
debian/
Even just using an https: link in debian/watch can provide some
assurance.
However a key difference is that if an orig tarball is fetched from
pristine-tar or Launchpad or Debian, then it's a tarball that's been
"blessed" by a package maintainer we trust. It's OK to fall back to
uscan, but in that case I think it's important for the user to know and
acknowledge the lower level of trust. So I'm not sure about
_automatically_ dropping that trust level as a fallback. Providing a
separately selected option, or acknowledging use of a lower "trust
level" using a command line option would work, but would that harm the
usefulness of doing this?
Feedback appreciated.