Extend default debian/gbp.conf with extra security config tips

ottok · ottok · commit 2419ed630fe5 · 2026-03-13T10:22:38.000+08:00
When creating a new package, populate the git-buildpackage with additional
configs and in-line comments on why and how to use them. This will make
go packaging easier, more consistent and more secure as the best practices
flow to all packages via good defaults.

Contents is adapted from the template used by `dh-make` version 2.202503.
diff --git a/template.go b/template.go
@@ -356,8 +356,42 @@ func writeDebianGbpConf(dir string, dep14, pristineTar bool) error {
 		fmt.Fprintf(f, "dist = DEP14\n")
 	}
 	if pristineTar {
-		fmt.Fprintf(f, "pristine-tar = True\n")
+		fmt.Fprintf(f, `
+
+# Enable pristine-tar for git-buildpackage to exactly reproduce orig tarballs
+pristine-tar = True
+`)
 	}
+
+	// Additional text to the template which is useful for most Go packages
+	fmt.Fprint(f, `
+
+# Enable git-buildpackage to build using the currently checked out branch as if
+# it was the Debian branch. This makes it easier for contributors to develop and
+# test using feature/bugfix branches.
+ignore-branch = True
+
+# The Debian packaging git repository may also host actual upstream tags and
+# branches, typically named 'main' or 'master'. Configure the upstream tag
+# format below, so that 'gbp import-orig --uscan' will run correctly, and link
+# the tarball import branch ('upstream/latest') with the equivalent upstream
+# release tag, showing a complete audit trail of what upstream released and what
+# was imported into Debian.
+#
+# TODO: Most Go packages have tags of form 'v1.0.0', but must be double-checked.
+#upstream-vcs-tag = v%(version%~%-)s
+
+# If upstream publishes tarball signatures, git-buildpackage will by default
+# import and use the them. Change this to 'on' to make 'gbp import-orig' abort
+# if the signature is not found or is not valid.
+#
+# Most Go packages don't publish signatures for the tarball releases, so this is
+# not enabled by default.
+#upstream-signatures = on
+
+# Ensure the Debian maintainer signs git tags automatically.
+#sign-tags = True
+`)
 	return nil
 }
 
