-
Not Synced
Thank you very much.
-
Not Synced
Thanks everybody for coming,…
-
Not Synced
If you are packaging software and you want
me to work on with you,
-
Not Synced
this is how you can do that.
-
Not Synced
It is a very self-??? talk:
-
Not Synced
I just want to explain some of the things
that I like,
-
Not Synced
some practice that I prefer about Debian
packaging,
-
Not Synced
and I don't pretend this is any sort of
official,
-
Not Synced
permanent or final thing.
-
Not Synced
I just wanted to share some ideas that I
have about the way that I work with
-
Not Synced
packages, in the hope that maybe, hmm,
for two hopes:
-
Not Synced
One is that I hope that I can show you
something that you have not heard of,
-
Not Synced
or maybe you were doing differently,
-
Not Synced
or maybe you think it is the right think
to do and it is just nice to see somebody
-
Not Synced
somebody else doing it.
-
Not Synced
My second hope is that you can tell me
what I am doing wrong,
-
Not Synced
and you can help me learn and improve
on my own packaging techniques.
-
Not Synced
If you see something that I am proposing
up here,
-
Not Synced
and you think there is a problem with it,
I would like to hear about it too.
-
Not Synced
I just want to see more of the culture
within Debian,
-
Not Synced
of people who are doing packaging,
explaining what they are doing,
-
Not Synced
and so I thought I would just step up and
explain:
-
Not Synced
"Here is some of the practice that I do",
-
Not Synced
In the hope that other people will do the
same and explain what they are doing,
-
Not Synced
and maybe they can learn from me and
I can learn from them.
-
Not Synced
Without much further ????, I am just going
to dive into it.
-
Not Synced
If you have questions, I am perfectly
happy to be interrupted,
-
Not Synced
we have some folks with walking mics
in the crowd:
-
Not Synced
you can just raise your hand.
-
Not Synced
I you have got a question or an
interruption or whatever,
-
Not Synced
that is fine.
-
Not Synced
I ??? I got the whole 15 minutes,
I think there are 20 minutes,
-
Not Synced
I ??? the whole time, so there will be
also time for questions at the end
-
Not Synced
if you prefer.
-
Not Synced
But I do not mind being interrupted.
-
Not Synced
So, this is all on this web page here,
-
Not Synced
you could probably skip this talk and go
read the web page,
-
Not Synced
but then you would not have the nice
??? actions,
-
Not Synced
and it is easier to tell me that I am
wrong in person,
-
Not Synced
so I would like to have that happen.
-
Not Synced
I put this up on the Debian wiki,
-
Not Synced
because I want anyone to be able to find
it.
-
Not Synced
If you thing you have got some good ideas,
you should put it on the Debian Wiki too:
-
Not Synced
other people can take advantage of the
ideas that you have got.
-
Not Synced
First baseline is: I really like revision
control.
-
Not Synced
And I know that it makes me a certain
flavor on nerd,
-
Not Synced
but when we are working with things that
are as complicated as software packages,
-
Not Synced
hmmm, I think a lot of people don't get
that in Debian we are not just working on
-
Not Synced
one software package:
-
Not Synced
you are actually probably, if you are doing
a responsibly work,
-
Not Synced
on at least two software packages, and
maybe 5.
-
Not Synced
So you have got the version that is
unstable and you have got
-
Not Synced
the version that you try to maintain for
stable as well.
-
Not Synced
And we are committing to doing maintenance
work.
-
Not Synced
A lot of our work in the project is ???
in nature:
-
Not Synced
we want to clean up the mess and we want
us to stay out of the way and
-
Not Synced
to make sure things work, functionally,
-
Not Synced
for people who are relying on the
operating system to not get in their way.
-
Not Synced
So revision control I think is really
helpful because it means you can
-
Not Synced
keep track of what changes you have done
on different branches of the project
-
Not Synced
while you are maintaining both of them.
-
Not Synced
Basically, ??? require working with
the revision system I am comfortable with,
-
Not Synced
I prefer Git, I am not going to have a
religious word about it.
-
Not Synced
If upstream uses Git, I am even happier,
and I try to make my packaging depend on
-
Not Synced
upstream's revision control.
-
Not Synced
I like to use 'git-buildpackage', and I
like to use it with debhelper.
-
Not Synced
If you have not tried out
'git-buildpackage',
-
Not Synced
we are going to have a
'git-buildpackage' skill share session
-
Not Synced
later on today actually, and I welcome
you to come and share your tricks with it,
-
Not Synced
or learn some tricks from other people.
-
Not Synced
It is a particular way that you can keep
your Debian packaging in a Git repository,
-
Not Synced
and it helps you to keep track of all of
the changes that ave happened within
-
Not Synced
your packaging and within upstream to
make sure you are not accidentally
-
Not Synced
making other changes.
-
Not Synced
So it is very easy to go back and review
what you have done.
-
Not Synced
I find that really useful.
-
Not Synced
I definitely also like to keep upstream's
source code in the same revision control
-
Not Synced
system.
-
Not Synced
I like to keep the tarballs in the
revision control system because it means
-
Not Synced
that if someone is interested, they can
uses a tool called 'debcheckout'.
-
Not Synced
You can use 'debcheckout' with a name of
a package:
-
Not Synced
you say just "I am really interested in
package 'foo',
-
Not Synced
let me see the source code for that":
-
Not Synced
debcheckout foo
-
Not Synced
You get the source code, and you get the
source code from a revision control
-
Not Synced
system that you can now track and you
can just propose changes on.
-
Not Synced
You can also extract the tarball from that
revision control system.
-
Not Synced
'debcheckout' actually works even if you
do not have upstream stuff in there,
-
Not Synced
but I like to keep it all in one revision
control system,
-
Not Synced
it is just easier to find everything when
you want.
-
Not Synced
Some of these things that I prefer have
to do with what the upstream software
-
Not Synced
developer has done, so I am less inclined
to try the package an upstream software
-
Not Synced
project if they just throw tarballs here
over the wall to an FTP side
-
Not Synced
every now and then.
-
Not Synced
It makes it more difficult for me to know
what they are doing,
-
Not Synced
and why they are doing it.
-
Not Synced
So i like it, I have already said, when
upstream uses Git,
-
Not Synced
I also like when upstream signs their
releases,
-
Not Synced
and say "hey, this is specific release",
-
Not Synced
Because that is a signal that I can use,
or somebody else that understands the
-
Not Synced
project: as said "we think that this
something that other people can use",
-
Not Synced
or "this is a particular version we would
like other people to test".
-
Not Synced
There are a lot of other situations where
maybe it is not so important.
-
Not Synced
And having that be cryptographically
signed is really useful.
-
Not Synced
I care about cryptographic signature on
software because I want to know that
-
Not Synced
what I am running is related to the code
that somebody else out should be run.
-
Not Synced
And if you don't verify your software
cryptographically, anyone could
-
Not Synced
intercept the network connection
between you and that software,
-
Not Synced
and modify the software before it gets
to you.
-
Not Synced
And the cryptographic signature just says:
-
Not Synced
"look, this is a version that I am OK
with. I am putting it out there and
-
Not Synced
it comes from me".
-
Not Synced
And so I can have a trace back to that
point.
-
Not Synced
??? just talk about briefly about how you
do cryptographic verification of upstream.
-
Not Synced
You might know upstream: you might know
them personally, you know their key
-
Not Synced
already, that is fine.
-
Not Synced
That is not the usual case: we work on
the Internet.
-
Not Synced
In the situation where your upstream is
signing their tarballs
-
Not Synced
and you have not met them, you do not
have to sign their key,
-
Not Synced
you do not have to say "I announce this
is their key".
-
Not Synced
This is probably the same one that is
signing every release,
-
Not Synced
so you should keep track of that.
-
Not Synced
Debian has a nice way to keep track of
that:
-
Not Synced
you can tell Debian how to find the new
version of the upstream tarball.
-
Not Synced
This is in the Debian 'watch' file.
-
Not Synced
If you type 'man uscan', you can learn
more about Debian 'watch',
-
Not Synced
and Debian 'watch' has now a feature that
lets you say
-
Not Synced
"that is not only this way you find the
tarball,
-
Not Synced
but upstream publishes signatures
and the signatures look like this".
-
Not Synced
You know, they got a '.sig' at the end.
-
Not Synced
So there is a particular arcane way to
specify that, but if you specify that,
-
Not Synced
then 'uscan' can find not only the
upstream tarball but can find the
-
Not Synced
upstream signature and, if you drop
upstream's signing key -
-
Not Synced
which of course I did not put on the wiki
page, someone should add it that and
-
Not Synced
fix it - you can put the upstream signing
key in 'debian/upstream/signing-key.asc'.
-
Not Synced
And then if you do that, when you say
'uscan', you can tell…
-
Not Synced
Maybe some people here do notk
now how to use 'uscan'.
-
Not Synced
'uscan' is a very simple tool,
you run it from a software package that
-
Not Synced
has a 'debian' directory, or even one
level up if you keep all of your software
-
Not Synced
packages in one folder. You can go one
level up and say 'uscan', and it will look
-
Not Synced
in all of the folder that are children
of it, and look for new version by
-
Not Synced
trying to find for new upstreams versions
in 'debian/watch'.
-
Not Synced
And if you have configured 'debian/watch'
properly, it can find the new upstream
-
Not Synced
signatures, and if you have got the
'upstream/signing-key.asc', then
-
Not Synced
it will actually verify the signature for
you as part of fetching the new
-
Not Synced
upstream tarball.
-
Not Synced
So you can get all of those things just
by setting ???? that way.
-
Not Synced
There is a hand up down there, could we
get the mic down to the hand ?
-
Not Synced
Or to the person who has that hand, it is
not just a hand. [public laugh]
-
Not Synced
[someone] Publish a tarball and a hash, '.sha1',
and sign that hash, '.sha1.asc'.
-
Not Synced
Can 'uscan' cope with this and check the
signature on the hash and that the hash
-
Not Synced
belongs to that tarball ?
-
Not Synced
[Daniel] I do not believe that 'uscan' can
do that currently. So anybody out there
-
Not Synced
who wants to make things better for the
world should go hack on 'uscan':
-
Not Synced
that is a pretty straightforward thing
that we should fix because I agree
-
Not Synced
that is common pattern.
-
Not Synced
[someone] I have no answer to this
question by I have another question:
-
Not Synced
how do you convince upstreams who do
not release tarballs or who do
-
Not Synced
not set tags in Git ?
-
Not Synced
[Daniel] Who do not make tags in Git ?
-
Not Synced
[someone] Yes, if there is no tags you
can not check out a tarball.
-
Not Synced
Is there any good way to convince
upstream to do this ?
-
Not Synced
[Daniel] Git has this nice feature, which
is that you can create a tag,
-
Not Synced
which is associate with a particular
revision,
-
Not Synced
and you would like to have a tag
everywhere that a tarball has been
-
Not Synced
released from. I am tempted to pull up
a Git view and show people some tags.
-
Not Synced
The question that you ask is a social
one, not just a technical one,
-
Not Synced
and I actually find that my upstreams
are pretty responsive.
-
Not Synced
Usually I frame my request as "hey, it
looks like you made this tarball from
-
Not Synced
this particular commit 'id'. If you could
tag you releases, it would be really
-
Not Synced
helpful to me, and here is the command
that I would use to tag the release".
-
Not Synced
And I say "git tag…" and of course I
can never remember so first I look it up,
-
Not Synced
but it is either 'tag name' 'commit id' or
'commit id' 'tag name'.
-
Not Synced
But I would look it up and I would write
the e-mail so that all they have to do is
-
Not Synced
they read it, understand my argument,
and execute one command.
-
Not Synced
And then it starts them ??????
-
Not Synced
And if you say 'tag -s' then your tag will
be cryptographically signed, which
-
Not Synced
I think is a really good thing to do too.
-
Not Synced
So, cryptographic verification of
upstream.
-
Not Synced
As I said, I want to keep upstream's code
in the revision control system.
-
Not Synced
I also like to keep…
-
Not Synced
In my ideal case upstream is using Git:
I am using Git for packaging.
-
Not Synced
I actually like to keep upsteam's Git
history fully in my repository,
-
Not Synced
so that I do not just have the tarballs,
but I actually have all of their commits.
-
Not Synced
And that turns out to be really useful
for two specific cases:
-
Not Synced
In one case, there is a common scenario
where upstream will fix a bug,
-
Not Synced
but they have not made a release yet.
-
Not Synced
And that bug is really, really obviously
problematic for the folks who are
-
Not Synced
using Debian, so want to fix it.
-
Not Synced
All I can do, because I have their full
revision history, I can use Git to "cherry
-
Not Synced
pick" the upstream commit.
-
Not Synced
And then I "cherry pick" that upstream
commit and I can have it applied
-
Not Synced
separately and release an Debian version
that has the fix, even before upstream
-
Not Synced
has made a release with the fix.
-
Not Synced
So one nice thing about having upstream
revision is that I can pull fixes from
-
Not Synced
upstream before they decided
to release it.
-
Not Synced
The other advantage is the other
way around.
-
Not Synced
Often when I am doing packaging,
I discover a problem,
-
Not Synced
and maybe I can fix the problem.
-
Not Synced
And if that maybe I am already shipping
a Debian package that fixes the problem.
-
Not Synced
If my Debian fixes can be directly applied
to upstream, then I can use whatever
-
Not Synced
their preferred upstream patch
submission guidelines are,
-
Not Synced
whether it is a Github pull request, or
a patch to a mailing list,
-
Not Synced
or a "hey can you pull this from my Git
repository over here", e-mail…
-
Not Synced
The fact that I am using the same Git
history that they are using makes it
-
Not Synced
much easier for me to push my changes
back to them.
-
Not Synced
So, it sort of smooth the interaction if
you can consolidate and use the same
-
Not Synced
revision control system as their.
-
Not Synced
Towards that aim, I use a system now
called 'patch q',
-
Not Synced
which is part of 'git buildpackage'.
-
Not Synced
So 'git buildpackage' is 'gbp', 'patch q'
is 'pq',
-
Not Synced
so to deal with 'patch q' you say
'gbp pq'
-
Not Synced
and then you have some commands.
-
Not Synced
And what that does, is it takes…
-
Not Synced
How many of you are Debian packagers ?
-
Not Synced
How many of you package
software for Debian ?
-
Not Synced
A very large percentage, but not everyone.
-
Not Synced
I hope some folks are considering starting
packaging if you have not done it yet.
-
Not Synced
Of those of you who package software,
how many of you package software
-
Not Synced
with modifications, how many of you ship
a modified version of upstream sources ?
-
Not Synced
Beyond the 'debian' directory, just Debian
patches ?