|
| 1 | +From: =?utf-8?b?T3R0byBLZWvDpGzDpGluZW4=?= < [email protected]> |
| 2 | +Date: Thu, 21 Nov 2024 00:20:25 -0800 |
| 3 | +Subject: Extend default debian/gbp.conf with extra security config tips |
| 4 | + |
| 5 | +When creating a new package, populate the git-buildpackage with additional |
| 6 | +configs and in-line comments on why and how to use them. This will make |
| 7 | +go packaging easier, more consistent and more secure as the best practices |
| 8 | +flow to all packages via good defaults. |
| 9 | + |
| 10 | +Also add comment to explain why pristine-tar is beneficial. |
| 11 | +--- |
| 12 | + template.go | 36 ++++++++++++++++++++++++++++++++++-- |
| 13 | + 1 file changed, 34 insertions(+), 2 deletions(-) |
| 14 | + |
| 15 | +diff --git a/template.go b/template.go |
| 16 | +index 1240ab1..24ba7b4 100644 |
| 17 | +--- a/template.go |
| 18 | ++++ b/template.go |
| 19 | +@@ -347,8 +347,40 @@ func writeDebianGbpConf(dir string, dep14, pristineTar bool) error { |
| 20 | + fmt.Fprintf(f, "dist = DEP14\n") |
| 21 | + } |
| 22 | + if pristineTar { |
| 23 | +- fmt.Fprintf(f, "pristine-tar = True\n") |
| 24 | +- } |
| 25 | ++ fmt.Fprintf(f, ` |
| 26 | ++# Always use pristine tar to improve supply chain security and auditability |
| 27 | ++pristine-tar = True |
| 28 | ++ |
| 29 | ++`) |
| 30 | ++ } |
| 31 | ++ |
| 32 | ++ // Additional text to the template which is useful for 99% of the go packages |
| 33 | ++ fmt.Fprint(f, ` |
| 34 | ++# Lax requirement to use branch name 'debian/latest' so that git-buildpackage |
| 35 | ++# will always build using the currently checked out branch as the Debian branch. |
| 36 | ++# This makes it easier for contributors to work with feature and bugfix |
| 37 | ++# branches. |
| 38 | ++ignore-branch = True |
| 39 | ++ |
| 40 | ++# Configure the upstream tag format below, so that 'gbp import-orig' will run |
| 41 | ++# correctly, and link tarball import branch ('upstream/latest') with the |
| 42 | ++# equivalent upstream release tag, showing a complete audit trail of what |
| 43 | ++# upstream released and what was imported into Debian. |
| 44 | ++# |
| 45 | ++# Most Go packages have tags of form 'v1.0.0' |
| 46 | ++upstream-vcs-tag = v%(version%~%-)s |
| 47 | ++ |
| 48 | ++# If upstream publishes tarball signatures, git-buildpackage will by default |
| 49 | ++# import and use the them. Change this to 'on' to make 'gbp import-orig' abort |
| 50 | ++# if the signature is not found or is not valid. |
| 51 | ++# |
| 52 | ++# Most Go packages don't publish signatures for the tarball releases, so this is |
| 53 | ++# not enabled by default. |
| 54 | ++#upstream-signatures = on |
| 55 | ++ |
| 56 | ++# Ensure the Debian maintainer signs git tags automatically |
| 57 | ++sign-tags = True |
| 58 | ++`) |
| 59 | + return nil |
| 60 | + } |
| 61 | + |
0 commit comments