summaryrefslogtreecommitdiff
path: root/NOTES.dgit-downstream-dsc.7.pod
blob: 9be7cc3f51f58af8599c6fc3d8799368b4d21749 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
NOTE This text was once going to be part of dgit-downstream-dsc(7) or
    dgit-downstream-dsc(5).  It probably wants to be reworked, and
    maybe put there, to fix
  #810829   want instructions for reprepro-style small repo

This guide is to help you if:

 * you are a distro which is a downstream of Debian (directly
   or indirectly)

 * you want to publish source packages as well as git branches

You will also need:

 * A git server.  [...]

   There are various options for the git server, depending on how much
   you trust your uploaders.  There are four levels of trust and
   sophistication:

 shell account

   For use when uploaders have shell accounts on the server and you
   trust them completely.  You then do not need to install any special
   software on the server.

 dgit-repos-server

   Your uploaders do not (necessarily) have shell accounts.
   You will need to collect their ssh keys and also their PGP
   signing keys.  You can restrict uploads on a per-package
   per-key basis by using the Debian `dm.txt' format.

 dgit-repos-server + policy hook

   You want to impose additional policy.  For example, Debian's
   copyright review process means that uploads of new packages are
   initially not public: dgit-repos-policy-debian is an example.

 custom implementation

   From the dgit client's point of view, the dgit git server is a git
   server accessed by ssh (when pushing) or https (when fetching).
   You may use anything that has the right properties for your needs.
   dgit primarily authenticates pushes by signing tags, so your
   software will probably need to check and verify that tag
   appropriately before accepting a push.  dgit-repos-server knows how
   to do this properly.

Set up your git server, as follows:

 shell account

   Make a suitable (sub)directory.  You should create a _template.git
   bare repo, with appropriate permissions.  When new packages are
   uploaded, this _template.git will be copied.  You will probably
   want to set core.sharedRepository in the template, and/or arrange
   for personal groups and 002 umask.

 dgit-repos-server

   Additionally, install dgit-infrastructure.  Create a service
   account `dgit' on the server.  For each authorised uploader, put
   their ssh key in dgit's authorized_keys file, with a
   restricted_command specifying the dgit-repos-server invocation.
   Put the keyring where dgit-repos-server can find it.
   Consult the comment at the top of dgit-repos-server for the
   restricted command rune.