|
| 1 | +From: =?utf-8?b?T3R0byBLZWvDpGzDpGluZW4=?= < [email protected]> |
| 2 | +Date: Thu, 21 Nov 2024 00:20:25 -0800 |
| 3 | +Subject: Extend default debian/gbp.conf with extra security config tips |
| 4 | + |
| 5 | +When creating a new package, populate the git-buildpackage with additional |
| 6 | +configs and in-line comments on why and how to use them. This will make |
| 7 | +go packaging easier, more consistent and more secure as the best practices |
| 8 | +flow to all packages via good defaults. |
| 9 | + |
| 10 | +Contents is in line with the template used by `dh-make` version 2.202503. |
| 11 | +--- |
| 12 | + template.go | 38 ++++++++++++++++++++++++++++++++++++-- |
| 13 | + 1 file changed, 36 insertions(+), 2 deletions(-) |
| 14 | + |
| 15 | +diff --git a/template.go b/template.go |
| 16 | +index 0e356c5..4e0d356 100644 |
| 17 | +--- a/template.go |
| 18 | ++++ b/template.go |
| 19 | +@@ -347,8 +347,42 @@ func writeDebianGbpConf(dir string, dep14, pristineTar bool) error { |
| 20 | + fmt.Fprintf(f, "dist = DEP14\n") |
| 21 | + } |
| 22 | + if pristineTar { |
| 23 | +- fmt.Fprintf(f, "pristine-tar = True\n") |
| 24 | +- } |
| 25 | ++ fmt.Fprintf(f, ` |
| 26 | ++# Enable pristine-tar to exactly reproduce orig tarballs |
| 27 | ++pristine-tar = True |
| 28 | ++ |
| 29 | ++`) |
| 30 | ++ } |
| 31 | ++ |
| 32 | ++ // Additional text to the template which is useful for 99% of the go packages |
| 33 | ++ fmt.Fprint(f, ` |
| 34 | ++# Lax requirement to use branch name 'debian/latest' so that git-buildpackage |
| 35 | ++# will always build using the currently checked out branch as the Debian branch. |
| 36 | ++# This makes it easier for contributors to work with feature and bugfix |
| 37 | ++# branches. |
| 38 | ++ignore-branch = True |
| 39 | ++ |
| 40 | ++# The Debian packaging git repository may also host actual upstream tags and |
| 41 | ++# branches, typically named 'main' or 'master'. Configure the upstream tag |
| 42 | ++# format below, so that 'gbp import-orig' will run correctly, and link tarball |
| 43 | ++# import branch ('upstream/latest') with the equivalent upstream release tag, |
| 44 | ++# showing a complete audit trail of what upstream released and what was imported |
| 45 | ++# into Debian. |
| 46 | ++# |
| 47 | ++# TODO: Most Go packages have tags of form 'v1.0.0', but must be double-checked. |
| 48 | ++upstream-vcs-tag = v%(version%~%-)s |
| 49 | ++ |
| 50 | ++# If upstream publishes tarball signatures, git-buildpackage will by default |
| 51 | ++# import and use the them. Change this to 'on' to make 'gbp import-orig' abort |
| 52 | ++# if the signature is not found or is not valid. |
| 53 | ++# |
| 54 | ++# Most Go packages don't publish signatures for the tarball releases, so this is |
| 55 | ++# not enabled by default. |
| 56 | ++#upstream-signatures = on |
| 57 | ++ |
| 58 | ++# Ensure the Debian maintainer signs git tags automatically. |
| 59 | ++sign-tags = True |
| 60 | ++`) |
| 61 | + return nil |
| 62 | + } |
| 63 | + |
0 commit comments