summaryrefslogtreecommitdiff
path: root/NOTES.dgit-downstream-dsc.7.pod
diff options
context:
space:
mode:
Diffstat (limited to 'NOTES.dgit-downstream-dsc.7.pod')
-rw-r--r--NOTES.dgit-downstream-dsc.7.pod69
1 files changed, 69 insertions, 0 deletions
diff --git a/NOTES.dgit-downstream-dsc.7.pod b/NOTES.dgit-downstream-dsc.7.pod
new file mode 100644
index 0000000..9be7cc3
--- /dev/null
+++ b/NOTES.dgit-downstream-dsc.7.pod
@@ -0,0 +1,69 @@
+NOTE This text was once going to be part of dgit-downstream-dsc(7) or
+ dgit-downstream-dsc(5). It probably wants to be reworked, and
+ maybe put there, to fix
+ #810829 want instructions for reprepro-style small repo
+
+This guide is to help you if:
+
+ * you are a distro which is a downstream of Debian (directly
+ or indirectly)
+
+ * you want to publish source packages as well as git branches
+
+You will also need:
+
+ * A git server. [...]
+
+ There are various options for the git server, depending on how much
+ you trust your uploaders. There are four levels of trust and
+ sophistication:
+
+ shell account
+
+ For use when uploaders have shell accounts on the server and you
+ trust them completely. You then do not need to install any special
+ software on the server.
+
+ dgit-repos-server
+
+ Your uploaders do not (necessarily) have shell accounts.
+ You will need to collect their ssh keys and also their PGP
+ signing keys. You can restrict uploads on a per-package
+ per-key basis by using the Debian `dm.txt' format.
+
+ dgit-repos-server + policy hook
+
+ You want to impose additional policy. For example, Debian's
+ copyright review process means that uploads of new packages are
+ initially not public: dgit-repos-policy-debian is an example.
+
+ custom implementation
+
+ From the dgit client's point of view, the dgit git server is a git
+ server accessed by ssh (when pushing) or https (when fetching).
+ You may use anything that has the right properties for your needs.
+ dgit primarily authenticates pushes by signing tags, so your
+ software will probably need to check and verify that tag
+ appropriately before accepting a push. dgit-repos-server knows how
+ to do this properly.
+
+Set up your git server, as follows:
+
+ shell account
+
+ Make a suitable (sub)directory. You should create a _template.git
+ bare repo, with appropriate permissions. When new packages are
+ uploaded, this _template.git will be copied. You will probably
+ want to set core.sharedRepository in the template, and/or arrange
+ for personal groups and 002 umask.
+
+ dgit-repos-server
+
+ Additionally, install dgit-infrastructure. Create a service
+ account `dgit' on the server. For each authorised uploader, put
+ their ssh key in dgit's authorized_keys file, with a
+ restricted_command specifying the dgit-repos-server invocation.
+ Put the keyring where dgit-repos-server can find it.
+ Consult the comment at the top of dgit-repos-server for the
+ restricted command rune.
+