Upload to Debian with just "git tag" and "git push"
Introduction
tag2upload is a system intended to make it possible for Debian
Developers and Debian Maintainers to upload new versions of packages
by simply pushing a specially formatted git tag to salsa (Debian's
GitLab instance).
The only thing you will have to do to cause new source
and binary packages to flow out to the mirror network is sign and push
a git tag.
We propose that this is offered as an alternative to the existing
approaches: i.e., as an alternative to you preparing (from git or
otherwise) the source package tarballs, .dsc
, etc., on
your own system.
Other information
This web page is just an introduction. We have prepared other more
formal documents:
How it works
- DD (or appropriately authorised DM) signs and pushes a git tag
containing some metadata. The tag is placed on the commit you want to
release (which is probably the commit where you ran
dch
-r
).
- This triggers a GitLab webhook, which passes the public clone URI
of your salsa project and the name of the newly pushed tag to a
Debian-managed cloud service called tag2upload.
- tag2upload verifies the signature on the tag against the Debian
keyring, produces a
.dsc
and .changes
, signs these, and
uploads the result to ftp-master.
- ftp-master and the autobuilder network push out the source and
binary packages in the usual way.
Only source-only uploads are supported; this is by design.
tag2upload does not have, nor need, push access to anyone's repos
on salsa: it doesn't make commits to your branch.
Convenience tool: git-debpush
Releasing a new package version should be as easy as possible, so we've
produced a new script, git debpush
, which just wraps git tag
and
git push
to sign and push the specially formatted git
tag.
With --no-push
it will only make the tag, without pushing
anything - a completely local operation. The tag can then be
inspected and (if appropriate) pushed later.
Status
There is a prototype of the tag2upload service. It needs some
additional security work, and then it needs to be properly deployed on
Debian infrastructure. And, of course, its key will have be
authorised to upload to the archive.
git-debpush is fully implemented, but it is not very useful without
the tag2upload service.
Credits
This introduction is largely cribbed from a
blog post
by Sean Whitton, adapted for the new context and to take account
of design changes arising from review of the prototype.
Thanks to Debian contributors on debian-devel, and thanks
particularly to Jonathan McDowell, for comments and suggestions
which have improved both the design itself, and the documentation.