From a0f8d5105eeeb0c1b634eef14f17e5832cc2f6cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Otto=20Kek=C3=A4l=C3=A4inen?= Date: Sat, 23 Nov 2024 20:16:58 -0800 Subject: [PATCH] WIP: Patches from https://github.com/Debian/dh-make-golang/pull/225 --- ...h-names-debian-latest-and-upstream-l.patch | 100 +++--------------- ...call-upstream-git-remote-upstreamvcs.patch | 27 +++++ ...ebian-gbp.conf-with-extra-security-c.patch | 47 ++++++++ ...p-modifying-upstream-.gitignore-file.patch | 50 +++++++++ debian/patches/series | 3 + 5 files changed, 143 insertions(+), 84 deletions(-) create mode 100644 debian/patches/0002-Always-call-upstream-git-remote-upstreamvcs.patch create mode 100644 debian/patches/0003-Extend-default-debian-gbp.conf-with-extra-security-c.patch create mode 100644 debian/patches/0004-Stop-modifying-upstream-.gitignore-file.patch diff --git a/debian/patches/0001-Use-DEP-14-branch-names-debian-latest-and-upstream-l.patch b/debian/patches/0001-Use-DEP-14-branch-names-debian-latest-and-upstream-l.patch index 9a7d895..3b8e83f 100644 --- a/debian/patches/0001-Use-DEP-14-branch-names-debian-latest-and-upstream-l.patch +++ b/debian/patches/0001-Use-DEP-14-branch-names-debian-latest-and-upstream-l.patch @@ -4,19 +4,20 @@ Subject: Use DEP-14 branch names `debian/latest` and `upstream/latest` In DEP-14, the preferred branch name for the Debian packaging target branch is `debian/latest` and the preferred name for the upstream import -target branch is `upstream/latest`. Note that the upstream development -branch name can be whatever and should stay as it is upstream, typically -`main` or `master`. The branch `upstream/latest` should not point to -the latest upstream development commit, but to the latest commit that -was used as the upstream release that the Debian revision was derived -from. +target branch is `upstream/latest`. + +Note that the upstream development branch name can be whatever and should +stay as it is upstream, typically `main` or `master`. The branch +`upstream/latest` should not point to the latest upstream development +commit, but to the latest commit that was used as the upstream release +that the Debian revision was derived from. --- - make.go | 37 +++++++++---------------------------- - template.go | 27 ++++++++++++++++++++++++++- - 2 files changed, 35 insertions(+), 29 deletions(-) + make.go | 11 +++++++---- + template.go | 3 ++- + 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/make.go b/make.go -index 9f48c07..b5376ff 100644 +index 9f48c07..b768095 100644 --- a/make.go +++ b/make.go @@ -413,7 +413,7 @@ func runGitCommandIn(dir string, arg ...string) error { @@ -37,17 +38,7 @@ index 9f48c07..b5376ff 100644 if pristineTar { branches = append(branches, "pristine-tar") } -@@ -482,7 +482,8 @@ func createGitRepository(debsrc, gopkg, orig string, u *upstream, - } - - if includeUpstreamHistory { -- u.remote, err = shortHostName(gopkg, allowUnknownHoster) -+ // Always call the upstream git remote 'upstreamvcs' just like git-buildpackage does -+ u.remote = "upstreamvcs" - if err != nil { - return dir, fmt.Errorf("unable to fetch upstream history: %q", err) - } -@@ -502,6 +503,9 @@ func createGitRepository(debsrc, gopkg, orig string, u *upstream, +@@ -502,6 +502,9 @@ func createGitRepository(debsrc, gopkg, orig string, u *upstream, // Import upstream orig tarball arg := []string{"import-orig", "--no-interactive", "--debian-branch=" + debianBranch} @@ -57,37 +48,7 @@ index 9f48c07..b5376ff 100644 if pristineTar { arg = append(arg, "--pristine-tar") } -@@ -516,29 +520,6 @@ func createGitRepository(debsrc, gopkg, orig string, u *upstream, - return dir, fmt.Errorf("import-orig: %w", err) - } - -- { -- f, err := os.OpenFile(filepath.Join(dir, ".gitignore"), os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) -- if err != nil { -- return dir, fmt.Errorf("open .gitignore: %w", err) -- } -- // Beginning newline in case the file already exists and lacks a newline -- // (not all editors enforce a newline at the end of the file): -- if _, err := f.Write([]byte("\n/.pc/\n/_build/\n")); err != nil { -- return dir, fmt.Errorf("write to .gitignore: %w", err) -- } -- if err := f.Close(); err != nil { -- return dir, fmt.Errorf("close .gitignore: %w", err) -- } -- } -- -- if err := runGitCommandIn(dir, "add", ".gitignore"); err != nil { -- return dir, fmt.Errorf("git add .gitignore: %w", err) -- } -- -- if err := runGitCommandIn(dir, "commit", "-m", "Ignore _build and quilt .pc dirs via .gitignore"); err != nil { -- return dir, fmt.Errorf("git commit (.gitignore): %w", err) -- } -- - return dir, nil - } - -@@ -892,7 +873,7 @@ func execMake(args []string, usage func()) { +@@ -892,7 +895,7 @@ func execMake(args []string, usage func()) { // Set the debian branch. debBranch := "master" if dep14 { @@ -96,7 +57,7 @@ index 9f48c07..b5376ff 100644 } switch strings.TrimSpace(wrapAndSort) { -@@ -983,7 +964,7 @@ func execMake(args []string, usage func()) { +@@ -983,7 +986,7 @@ func execMake(args []string, usage func()) { debversion := u.version + "-1" @@ -106,10 +67,10 @@ index 9f48c07..b5376ff 100644 log.Fatalf("Could not create git repository: %v\n", err) } diff --git a/template.go b/template.go -index 4c87c7d..f60eb13 100644 +index 4c87c7d..74cca68 100644 --- a/template.go +++ b/template.go -@@ -337,12 +337,37 @@ func writeDebianGbpConf(dir string, dep14, pristineTar bool) error { +@@ -337,7 +337,8 @@ func writeDebianGbpConf(dir string, dep14, pristineTar bool) error { fmt.Fprintf(f, "[DEFAULT]\n") if dep14 { @@ -119,32 +80,3 @@ index 4c87c7d..f60eb13 100644 fmt.Fprintf(f, "dist = DEP14\n") } if pristineTar { - fmt.Fprintf(f, "pristine-tar = True\n") - } -+ -+ // Additional text to the template which is useful for 99% of the go packages -+ // NOTE: The v%%(version%%~%%.)s will print v%(version%~%.)s -+ fmt.Fprintf(f, ` -+# Lax requirement to use branch name 'debian/latest' so that git-buildpackage -+# will always build using the currently checked out branch as the Debian branch. -+# This makes it easier for contributors to work with feature and bugfix -+# branches. -+ignore-branch = True -+ -+# Configure the upstream tag format below, so that 'gbp import-orig' will run -+# correctly, and link tarball import branch ('upstream/latest') with the -+# equivalent upstream release tag, showing a complete audit trail of what -+# upstream released and what was imported into Debian. -+# -+# Most go packages have tags of form 'v1.0.0' -+#upstream-vcs-tag = v%%(version%%~%%.)s -+ -+# Check that upstream signed git tags (options: auto|on|off) -+#upstream-signatures = on -+ -+# Ensure the Debian maintainer signs git tags automatically -+#sign-tags = True -+`) - return nil - } - diff --git a/debian/patches/0002-Always-call-upstream-git-remote-upstreamvcs.patch b/debian/patches/0002-Always-call-upstream-git-remote-upstreamvcs.patch new file mode 100644 index 0000000..8e81cae --- /dev/null +++ b/debian/patches/0002-Always-call-upstream-git-remote-upstreamvcs.patch @@ -0,0 +1,27 @@ +From: =?utf-8?b?T3R0byBLZWvDpGzDpGluZW4=?= +Date: Thu, 21 Nov 2024 00:18:30 -0800 +Subject: Always call upstream git remote `upstreamvcs` + +Instead of using various different upstream remote names, use the one and +same upstream git remote name consistently. As the name pick `upstreamvcs` +just as git-buildpackage does, so that if anybody runs `gbp clone` they +will automatically end up with the same git remotes and branches as anyone +in to go-team. +--- + make.go | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/make.go b/make.go +index b768095..7b6f8d2 100644 +--- a/make.go ++++ b/make.go +@@ -482,7 +482,8 @@ func createGitRepository(debsrc, gopkg, orig string, u *upstream, + } + + if includeUpstreamHistory { +- u.remote, err = shortHostName(gopkg, allowUnknownHoster) ++ // Always call the upstream git remote 'upstreamvcs' just like git-buildpackage does ++ u.remote = "upstreamvcs" + if err != nil { + return dir, fmt.Errorf("unable to fetch upstream history: %q", err) + } diff --git a/debian/patches/0003-Extend-default-debian-gbp.conf-with-extra-security-c.patch b/debian/patches/0003-Extend-default-debian-gbp.conf-with-extra-security-c.patch new file mode 100644 index 0000000..5ef736c --- /dev/null +++ b/debian/patches/0003-Extend-default-debian-gbp.conf-with-extra-security-c.patch @@ -0,0 +1,47 @@ +From: =?utf-8?b?T3R0byBLZWvDpGzDpGluZW4=?= +Date: Thu, 21 Nov 2024 00:20:25 -0800 +Subject: Extend default debian/gbp.conf with extra security config tips + +When creating a new package, populate the git-buildpackage with additional +configs and in-line comments on why and how to use them. This will make +go packaging easier, more consistent and more secure as the best practices +flow to all packages via good defaults. +--- + template.go | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/template.go b/template.go +index 74cca68..f60eb13 100644 +--- a/template.go ++++ b/template.go +@@ -344,6 +344,30 @@ func writeDebianGbpConf(dir string, dep14, pristineTar bool) error { + if pristineTar { + fmt.Fprintf(f, "pristine-tar = True\n") + } ++ ++ // Additional text to the template which is useful for 99% of the go packages ++ // NOTE: The v%%(version%%~%%.)s will print v%(version%~%.)s ++ fmt.Fprintf(f, ` ++# Lax requirement to use branch name 'debian/latest' so that git-buildpackage ++# will always build using the currently checked out branch as the Debian branch. ++# This makes it easier for contributors to work with feature and bugfix ++# branches. ++ignore-branch = True ++ ++# Configure the upstream tag format below, so that 'gbp import-orig' will run ++# correctly, and link tarball import branch ('upstream/latest') with the ++# equivalent upstream release tag, showing a complete audit trail of what ++# upstream released and what was imported into Debian. ++# ++# Most go packages have tags of form 'v1.0.0' ++#upstream-vcs-tag = v%%(version%%~%%.)s ++ ++# Check that upstream signed git tags (options: auto|on|off) ++#upstream-signatures = on ++ ++# Ensure the Debian maintainer signs git tags automatically ++#sign-tags = True ++`) + return nil + } + diff --git a/debian/patches/0004-Stop-modifying-upstream-.gitignore-file.patch b/debian/patches/0004-Stop-modifying-upstream-.gitignore-file.patch new file mode 100644 index 0000000..0a3bb15 --- /dev/null +++ b/debian/patches/0004-Stop-modifying-upstream-.gitignore-file.patch @@ -0,0 +1,50 @@ +From: =?utf-8?b?T3R0byBLZWvDpGzDpGluZW4=?= +Date: Thu, 21 Nov 2024 00:23:12 -0800 +Subject: Stop modifying upstream .gitignore file + +The fact that Debian builds produce extra files in the build directory +is a separate concern and should not be managed by .gitignores in upstream +directory. Anyways, the list is not going to be complete on most packages, +and instead of extending the list, a better practice is to have proper +`make clean` rules in the `debian/rules`, or to simply run `git clean -fdx` +between builds. Additionally, everyone should be using `gbp pq` to update +patches instead of legacy Quilt, so no more `.pc` directories should be +generated. +--- + make.go | 23 ----------------------- + 1 file changed, 23 deletions(-) + +diff --git a/make.go b/make.go +index 7b6f8d2..b5376ff 100644 +--- a/make.go ++++ b/make.go +@@ -520,29 +520,6 @@ func createGitRepository(debsrc, gopkg, orig string, u *upstream, + return dir, fmt.Errorf("import-orig: %w", err) + } + +- { +- f, err := os.OpenFile(filepath.Join(dir, ".gitignore"), os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) +- if err != nil { +- return dir, fmt.Errorf("open .gitignore: %w", err) +- } +- // Beginning newline in case the file already exists and lacks a newline +- // (not all editors enforce a newline at the end of the file): +- if _, err := f.Write([]byte("\n/.pc/\n/_build/\n")); err != nil { +- return dir, fmt.Errorf("write to .gitignore: %w", err) +- } +- if err := f.Close(); err != nil { +- return dir, fmt.Errorf("close .gitignore: %w", err) +- } +- } +- +- if err := runGitCommandIn(dir, "add", ".gitignore"); err != nil { +- return dir, fmt.Errorf("git add .gitignore: %w", err) +- } +- +- if err := runGitCommandIn(dir, "commit", "-m", "Ignore _build and quilt .pc dirs via .gitignore"); err != nil { +- return dir, fmt.Errorf("git commit (.gitignore): %w", err) +- } +- + return dir, nil + } + diff --git a/debian/patches/series b/debian/patches/series index ab92370..ca43813 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,4 @@ 0001-Use-DEP-14-branch-names-debian-latest-and-upstream-l.patch +0002-Always-call-upstream-git-remote-upstreamvcs.patch +0003-Extend-default-debian-gbp.conf-with-extra-security-c.patch +0004-Stop-modifying-upstream-.gitignore-file.patch