kc3-lang/gnulib/doc/gnulib-git-bundle.texi
Branch
-
Show log
Commit
-
Hash : 6bb58afd
Author :
Date : 2025-07-31T16:21:30
doc: Improvements for gnulib git bundle. * doc/gnulib-git-bundle.texi (Gnulib Git Bundle): Add 20250729 release. Improve reproducibility instructions.
-
doc/gnulib-git-bundle.texi
-
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81
@node Gnulib Git Bundle @section Gnulib Git Bundle To provide a serialized archival copy of the Gnulib Git repository we publish Git Bundles (@url{https://git-scm.com/docs/git-bundle}) of Gnulib at @url{https://ftp.gnu.org/gnu/gnulib/}. These may be useful if Savannah happens to be offline or if you want to have a GnuPG signed confirmation of the Gnulib content. The files are named like @code{gnulib-YYYYMMDD.bundle}, for example @code{gnulib-20250729.bundle}, where @code{YYYYMMDD} corresponds to the Git commit date (in UTC0) of the last commit on the @code{master} branch in the bundle. After downloading the Git bundle you may use it to create a local gnulib clone using normal Git commands: @example wget -nv https://ftp.gnu.org/gnu/gnulib/gnulib-20250729.bundle git clone gnulib-20250729.bundle gnulib cd gnulib @end example Below are SHA-256 checksums of known releases: @example 9dae009ef9dd7cff17b74c0cda5d7a423e2ed98b4f5b7aa29a970565b0591c06 gnulib-20250303.bundle f01e423a7ef6b48e947fabd24bb11744204f4549342416e15dc64f427caa32e2 gnulib-20250729.bundle @end example Next to the Git Bundle is a GnuPG signature on the file, named @code{gnulib-YYYYMMDD.bundle.sig}, which can be verified using GnuPG as usual: @example gpg --verify gnulib-20250729.bundle.sig @end example Or using the simpler @code{gpgv} tool like this: @example gpgv gnulib-20250729.bundle.sig gnulib-20250729.bundle @end example The following GnuPG keys have signed releases: @example sec> ed25519 2019-03-20 [SC] https://josefsson.org/key-20190320.txt B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE uid [ultimate] Simon Josefsson <simon@@josefsson.org> @end example We desire that the Gnulib Git bundles will be forever bit-by-bit reproducible for others from the official git repository. Currently gnulib maintainers may invoke the following commands to prepare and upload a Gnulib git bundle. We appreciate ideas on how to improve these set of commands (or the upstream Git tool) to make further supply-chain security related improvements. @example cd $(mktemp -d) REV=225973a89f50c2b494ad947399425182dd42618c # master branch commit to package S1REV=475dd38289d33270d0080085084bf687ad77c74d # stable-202501 branch commit S2REV=e8cc0791e6bb0814cf4e88395c06d5e06655d8b5 # stable-202507 branch commit git clone https://git.savannah.gnu.org/git/gnulib.git cd gnulib git fsck # attempt to validate input # Manually inspect that the new tree matches a trusted previous copy git checkout -B master $REV # put $REV at master # Add all stable-* branches locally: for b in $(git branch -r | grep origin/stable- | sort --version-sort); do git checkout $@{b#origin/@}; done git checkout -B stable-202501 $S1REV git checkout -B stable-202507 $S2REV git remote remove origin # drop some unrelated branches git gc --prune=now # drop any unrelated commits, not clear this helps git -c pack.threads=1 repack -adF git -c 'pack.threads=1' bundle create gnulib.bundle --all V=$(env TZ=UTC0 git show -s --date=format:%Y%m%d --pretty=%cd master) mv gnulib.bundle gnulib-$V.bundle build-aux/gnupload --to ftp.gnu.org:gnulib gnulib-$V.bundle @end example