Upload to Debian with just "git tag" and "git push"

Introduction

tag2upload is a system intended to make it possible for Debian Developers and Debian Maintainers to upload new versions of packages by simply pushing a specially formatted git tag to salsa (Debian's GitLab instance).

The only thing you will have to do to cause new source and binary packages to flow out to the mirror network is sign and push a git tag.

We propose that this is offered as an alternative to the existing approaches: i.e., as an alternative to you preparing (from git or otherwise) the source package tarballs, .dsc, etc., on your own system.

Other information

This web page is just an introduction. We have prepared other more formal documents:

git-debpush(1) manpage
tag2upload service detailed design document including discussion of its security architecture and privilege separation arrangements
Risk assessment, which analyses possible risks and concerns (relating particularly to Debian archive integrity) in a formal and structured way.

How it works

DD (or appropriately authorised DM) signs and pushes a git tag containing some metadata. The tag is placed on the commit you want to release (which is probably the commit where you ran dch -r).
This triggers a GitLab webhook, which passes the public clone URI of your salsa project and the name of the newly pushed tag to a Debian-managed cloud service called tag2upload.
tag2upload verifies the signature on the tag against the Debian keyrings, produces a .dsc and .changes, signs these, and uploads the result to ftp-master.
ftp-master and the autobuilder network push out the source and binary packages in the usual way.

Only source-only uploads are supported; this is by design. tag2upload does not have, nor need, push access to anyone's repos on salsa: it doesn't make commits to your branch.

Convenience tool: git-debpush

Releasing a new package version should be as easy as possible, so we've produced a new script, git debpush, which just wraps git tag and git push to sign and push the specially formatted git tag.

With --no-push it will only make the tag, without pushing anything - a completely local operation. The tag can then be inspected and (if appropriate) pushed later.

Status

There is a prototype of the tag2upload service. It needs some additional security work, and then it needs to be properly deployed on Debian infrastructure. And, of course, its key will have be authorised to upload to the archive.

git-debpush is fully implemented, but it is not very useful without the tag2upload service.

Credits

This introduction is largely cribbed from a blog post by Sean Whitton, adapted for the new context and to take account of design changes arising from review of the prototype.

Thanks to Debian contributors on debian-devel, and thanks particularly to Jonathan McDowell, for comments and suggestions which have improved both the design itself, and the documentation.