ChangingTheOrigTarball

Differences between revisions 12 and 13
Revision 12 as of 2007-07-05 06:17:51
Size: 5437
Editor: WL-POOL00-14
Comment: automatic naming of the resulting .tar.gz file in wget+uscan examples
Revision 13 as of 2007-07-17 09:27:48
Size: 5730
Editor: p1119-ipbf37marunouchi
Comment: Changed recommendation on README.Debian-source to debian/copyright
Deletions are marked like this. Additions are marked like this.
Line 102: Line 102:
 * Always remember to create debian/README.Debian-source when you need to repack the orig.tar.gz, explaining why you repacked it, and how others can verify your work.  * Always remember to reference get-orig-source: in debian/coyright when you need to repack the orig.tar.gz, explaining why you repacked it, and how others can verify your work.
Line 107: Line 107:
P.P.S: Older packages (from Debian Policy 3.3.8 or earlier) keep the information on repacking in debian/README.Debian-source. When updating an older package, it is acceptable to leave it here, although when upgrading or packaging new software, debian/copyright is much preferred.

Problems, that occur when changing the orig-tarball

1) reproducability

If you take just the .diff.gz and .dsc, you or someone else has no means to reproduce the changes in the orig-tarball.

2) upgradeability

No easy way to upgrade to a new upstream version.

3) debian <-> ubuntu

Differing orig-tarballs make it hard to automatically sync from debian to ubuntu.

4) Usage of VCS for debian package

If you use svn (svn-buildpackage) (I guess that counts for other VCS as well, although I don't have experience there yet) to handle your debian package, you usually don't store the orig-tarball inside. Another person doing a checkout will need to get the orig-tarball seperately... (see point 1 from here on).

5) security tracking

Consider a situation, where someone *wants* to introduce a backdoor/rootkit or other evil stuff. If the orig-tarball is intact, one can easily scan through the .diff.gz and see if the one who debianized the package tries to do something evil. If the orig-tarball is changed however, one also needs to check the differences between the tarball and the really original source in order to check if the one who debianized the software introduced evil stuff. (note that you still have to trust upstream to not do evil things here, but this is valid whether the orig is unchanged or not).

6) You already have the option to use the .diff.gz to reflect changes to the orig-tarball.

Under what circumstances can the orig-tarball be changed and when it shouldn't be

Allowed

  • upstream tarball contains (non-free) stuff, that cannot be redistributed -> remove the portions of non-free stuff

Not allowed

  • directory layout wrong -> dpkg-source is quite flexible with this and manages to produce the correct directory layout even if

    • the directory inside the tarball is not named <upstream>-<version>

    • there is no subdirectory inside the tarball
  • files that need to be removed to keep the .diff.gz small (e.g. autotools-stuff):
    • everything, that needs to be deleted, should be done in the clean rule. Since the .diff.gz is created with diff -u, you'll not see removed files in .diff.gz
  • files to be modified
    • always need to go into .diff.gz. That's the purpose of it Wink ;)

  • wrong permissions on files
    • These won't be represented in .diff.gz. However you have the means to change this in debian/rules. <evilcynicalmode> If you don't know how to do it with cdbs, use debhelper!</evilcynicalmode>

  • What to do with .orig.tar.gz which already include a debian/ dir?
    • Do not repackage. Ask upstream to delete the debian/ dir and provide a diff.gz instead. This makes it easier to review upstream development, upstream packaging work and your packaging work.
  • Upstream includes precompiled architecture-specific binaries in the tarball
    • If these can be regenerated during build, they should be delted in the clean: rule.
    • If these cannot be regenerated during build, the code is probably non-free, and may not be suitable for distribution. If the program works without these files, see non-free files above. If the program doesn't work without these files, contact upstream for resolution.

Kind of allowed

  • upstream provides only bzip2 or upstream is a VCS snapshot
    • just do bunzip2 on the .tar.bz2 and gzip -9 on the tar.
    • the md5sums of the .tar you provide and the original .tar must match!

    • provide get-orig-source in debian/rules, that does this converting
      • Example:

get-orig-source:
        cd ..; wget http://somesite.org/stuff/somesoftware-4.2.tar.bz2
        bzcat ../somesoftware-4.2.tar.bz2 | gzip --best -c - > somesoftware-4.2.tar.gz
        ln -s ../somesoftware-4.2.tar.gz ../${DEB_SOURCE_PACKAGE}_4.2.orig.tar.gz

(and maybe also provide the rule  ../somesoftware_4.2.orig.tar.gz: get-orig-source , or list get-orig-source within .PHONY).

  • if you use a watch file, this can be:

# Path to the debian directory
DEBIAN_DIR := $(shell echo ${MAKEFILE_LIST} | awk '{print $$1}' | xargs dirname )

get-orig-source:
        cd ${DEBIAN_DIR}/.. && \
        version=$$(uscan --force-download --dehs | \
                sed -n s/.*<upstream-version>\(.*\)<\/upstream-version>.*/\1/p') && \
        bzcat ../somesoftware-$${version}.tar.bz2 | gzip --best -c - > \
        ${CURDIR}/${DEB_SOURCE_PACKAGE}_$${version}.orig.tar.gz
  • directly imported from cvs

CVSDATE+=22 May 2007
SW_VERSION+=4.2

TARFILE+=somesoftware_$(SW_VERSION)~cvs$(shell date -d "$(CVSDATE)" +%Y%m%d).orig.tar.gz
CVSHOME+=:pserver:anonymous@somesoftware.cvs.sourceforge.net:/cvsroot/somesoftware

get-orig-source::
        cvs -d$(CVSHOME) login
        cvs -d$(CVSHOME) export -D "$(CVSDATE)" somesoftware
        tar czf $(CURDIR)/../$(TARFILE) $(CURDIR)/somesoftware
        rm -rf $(CURDIR)/somesoftware

../$(TARFILE):: get-orig-source
  • Always remember to reference get-orig-source: in debian/coyright when you need to repack the orig.tar.gz, explaining why you repacked it, and how others can verify your work.

P.S.: It's always a good idea to contact upstream and ask that stuff like autoconf-issues or directory layout (or old FSF-address) or other things you need to "patch" afterwards in .diff.gz be corrected.

P.P.S: Older packages (from Debian Policy 3.3.8 or earlier) keep the information on repacking in debian/README.Debian-source. When updating an older package, it is acceptable to leave it here, although when upgrading or packaging new software, debian/copyright is much preferred.


[:CategoryMOTU]

MOTU/Packages/CommonPackagingMistakes/ChangingTheOrigTarball (last edited 2008-08-06 16:30:52 by localhost)