Revert "Extend default debian/gbp.conf with extra security config tips"

guillemj · guillemj · commit 6f4fbdd63c61 · 2025-01-25T17:30:12.000+01:00
This reverts commit 9ddc3dc. This mixes changes that look uncontroversial, with ones that are rather controversial (including the wording used to describe them).
diff --git a/make.go b/make.go
@@ -416,8 +416,7 @@ func runGitCommandIn(dir string, arg ...string) error {
 }
 
 func createGitRepository(debsrc, gopkg, orig string, u *upstream,
-	includeUpstreamHistory bool, allowUnknownHoster bool, debianBranch string,
-	dep14 bool, pristineTar bool) (string, error) {
+	includeUpstreamHistory bool, allowUnknownHoster bool, debianBranch string, dep14 bool, pristineTar bool) (string, error) {
 
 	// debianBranch is passed in function call, but upstream import branch needs
 	// also to be defined
diff --git a/template.go b/template.go
@@ -342,40 +342,8 @@ func writeDebianGbpConf(dir string, dep14, pristineTar bool) error {
 		fmt.Fprintf(f, "dist = DEP14\n")
 	}
 	if pristineTar {
-		fmt.Fprintf(f, `
-# Always use pristine tar to improve supply chain security and auditability
-pristine-tar = True
-
-`)
+		fmt.Fprintf(f, "pristine-tar = True\n")
 	}
-
-	// Additional text to the template which is useful for 99% of the go packages
-	fmt.Fprint(f, `
-# Lax requirement to use branch name 'debian/latest' so that git-buildpackage
-# will always build using the currently checked out branch as the Debian branch.
-# This makes it easier for contributors to work with feature and bugfix
-# branches.
-ignore-branch = True
-
-# Configure the upstream tag format below, so that 'gbp import-orig' will run
-# correctly, and link tarball import branch ('upstream/latest') with the
-# equivalent upstream release tag, showing a complete audit trail of what
-# upstream released and what was imported into Debian.
-#
-# Most Go packages have tags of form 'v1.0.0'
-upstream-vcs-tag = v%(version%~%-)s
-
-# If upstream publishes tarball signatures, git-buildpackage will by default
-# import and use the them. Change this to 'on' to make 'gbp import-orig' abort
-# if the signature is not found or is not valid.
-#
-# Most Go packages don't publish signatures for the tarball releases, so this is
-# not enabled by default.
-#upstream-signatures = on
-
-# Ensure the Debian maintainer signs git tags automatically
-sign-tags = True
-`)
 	return nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -416,8 +416,7 @@ func runGitCommandIn(dir string, arg ...string) error {`
`416`	`416`	`}`
`417`	`417`
`418`	`418`	`func createGitRepository(debsrc, gopkg, orig string, u *upstream,`
`419`		`- includeUpstreamHistory bool, allowUnknownHoster bool, debianBranch string,`
`420`		`- dep14 bool, pristineTar bool) (string, error) {`
	`419`	`+ includeUpstreamHistory bool, allowUnknownHoster bool, debianBranch string, dep14 bool, pristineTar bool) (string, error) {`
`421`	`420`
`422`	`421`	`// debianBranch is passed in function call, but upstream import branch needs`
`423`	`422`	`// also to be defined`