path: root/NOTES.dgit-downstream-dsc.7.pod
diff options
authorSean Whitton <>2018-07-19 01:09:16 +0800
committerSean Whitton <>2018-07-19 01:09:16 +0800
commitd0492d8f40b05ea5f4d378cd34221a9cd66cbfcd (patch)
treed79f415f344a81aca8d18e916b7016a84aec5793 /NOTES.dgit-downstream-dsc.7.pod
parenteb07108c1051f227c83de01781f498a330faae43 (diff)
parent15fbfc94b8c6a08cffdf0f9a7ed5870252ad4416 (diff)
Merge tag 'debian/5.10' into stretch-bpo
dgit release 5.10 for unstable (sid) [dgit] [dgit distro=debian] # gpg: Signature made Sun 15 Jul 2018 01:12:02 AM CST # gpg: using RSA key 559AE46C2D6B6D3265E7CBA1E3E3392348B50D39 # gpg: Can't check signature: No public key
Diffstat (limited to 'NOTES.dgit-downstream-dsc.7.pod')
1 files changed, 69 insertions, 0 deletions
diff --git a/NOTES.dgit-downstream-dsc.7.pod b/NOTES.dgit-downstream-dsc.7.pod
new file mode 100644
index 0000000..9be7cc3
--- /dev/null
+++ b/NOTES.dgit-downstream-dsc.7.pod
@@ -0,0 +1,69 @@
+NOTE This text was once going to be part of dgit-downstream-dsc(7) or
+ dgit-downstream-dsc(5). It probably wants to be reworked, and
+ maybe put there, to fix
+ #810829 want instructions for reprepro-style small repo
+This guide is to help you if:
+ * you are a distro which is a downstream of Debian (directly
+ or indirectly)
+ * you want to publish source packages as well as git branches
+You will also need:
+ * A git server. [...]
+ There are various options for the git server, depending on how much
+ you trust your uploaders. There are four levels of trust and
+ sophistication:
+ shell account
+ For use when uploaders have shell accounts on the server and you
+ trust them completely. You then do not need to install any special
+ software on the server.
+ dgit-repos-server
+ Your uploaders do not (necessarily) have shell accounts.
+ You will need to collect their ssh keys and also their PGP
+ signing keys. You can restrict uploads on a per-package
+ per-key basis by using the Debian `dm.txt' format.
+ dgit-repos-server + policy hook
+ You want to impose additional policy. For example, Debian's
+ copyright review process means that uploads of new packages are
+ initially not public: dgit-repos-policy-debian is an example.
+ custom implementation
+ From the dgit client's point of view, the dgit git server is a git
+ server accessed by ssh (when pushing) or https (when fetching).
+ You may use anything that has the right properties for your needs.
+ dgit primarily authenticates pushes by signing tags, so your
+ software will probably need to check and verify that tag
+ appropriately before accepting a push. dgit-repos-server knows how
+ to do this properly.
+Set up your git server, as follows:
+ shell account
+ Make a suitable (sub)directory. You should create a _template.git
+ bare repo, with appropriate permissions. When new packages are
+ uploaded, this _template.git will be copied. You will probably
+ want to set core.sharedRepository in the template, and/or arrange
+ for personal groups and 002 umask.
+ dgit-repos-server
+ Additionally, install dgit-infrastructure. Create a service
+ account `dgit' on the server. For each authorised uploader, put
+ their ssh key in dgit's authorized_keys file, with a
+ restricted_command specifying the dgit-repos-server invocation.
+ Put the keyring where dgit-repos-server can find it.
+ Consult the comment at the top of dgit-repos-server for the
+ restricted command rune.