[Pkg-anonymity-tools] Questions regarding pkg-anonymity work

u u at 451f.org
Sat Jul 25 13:56:33 UTC 2015 

Hi,

أحمد المحمودي:
> Hello,
> 
>   I have a few questions regarding pkg-anonymiity packaging:

Currently, we use pkg-anonymity-tools mainly for the package maintainer
field in debian/control, in order to share efforts in maintaining
anonymity related packages and to receive bug reports on this mailing list.

However, not all anonymity related packages are maintained by the team
and they do not necessarily have to.

>   * Why are your packages under /git/collab-maint instead of 
>     /git/pkg-anonymity ?

collab-maint is a pseudo-team for packages that are not connected to any
other teams, but whose maintainer still wants them to be maintained in a
collaborative way. Sure, one could set up an Alioth project for a single
package, and make a small standalone team, but for many packages that
can be too much work, and using collab-maint can save time and effort.

>   * On the wiki you mention that you prefer to use upstream tags as 
>     canonical upstream release and generate the release tarballs 

pkg-anonymity-tools does not have a wiki. Where did you read that exactly?

>     yourselves. Also I see on the 'mat' git repo, that you cloned 
>     upstream git.

`mat` is merely one package maintained by the team.

>     Since I am not used to this way of work, could someone explain 
>     briefly this workflow ?

In general, we use a Git repository for packaging (on collab-maint) and
add upstreams as a remote. This allows for pulling _signed_ git tags
from upstream. Those signed tags can then be integrated into a dedicated
debian packaging branch which simply adds the debian/ folder which
contains the files needed to package. From this branch we build and
create signed Git tags for the packages.

This layout follows or can follow more or less this proposal:
http://dep.debian.net/deps/dep14/

This way, building can be done using @gbp buildpackage@, [see
https://wiki.debian.org/PackagingWithGit#Getting_started and
http://honk.sigxcpu.org/projects/git-buildpackage/manual-html/gbp.html]

Maybe someone else can complete/improve my explanation, especially from
an uploading DD point of view?

>     Also I see that you have a debian/watch file and check upstream PGP 
>     signature, I don't understand the reason of this if you are 
>     generating the release tarballs by yourselves instead of using 
>     upstream tarballs.

You can do both: use a signed upstream tarball and compare it with what
is actually in the signed git release. This also allows for example for
verifying that the tarball which is uploaded to Debian has the same
checksum as upstream's. [see
http://honk.sigxcpu.org/projects/git-buildpackage/manual-html/gbp.import.html]

Also, as far as I know, this file is not only to be used by the package
maintainer. It's also used by the package tracker (correct me if I'm
wrong) and can be used by other people independently of the packaging
process itself.

Cheers,
Ulrike

More information about the Pkg-anonymity-tools mailing list