Re: Recreating history of a package
- Date: Sat, 16 Feb 2019 12:22:04 +0000
- From: peter green <plugwash@xxxxxxxxxxx>
- Subject: Re: Recreating history of a package
On 12/02/19 13:26, Ian Jackson wrote:
peter green writes ("Re: Recreating history of a package"):
https://github.com/plugwash/autoforwardportergit/blob/master/pooltogit will take dscs in a pool structure and import them into git repos (one per source package) using dgit, building the history based on the changelogs. It can even follow history across source package renames.
It also has the ability to use snapshotsecure to download parent versions from snapshot.debian.org , As the code stands it only uses that functionality to request immediate parents of local versions, but it could be easily modified to grab the entire history of the package (as defined by it's changelog).
Cool, thanks! Have you considered making a package of it ?
In it's present form it is specialized to the needs of autoforwardportergit, so packaging it separately (if/when I get around to packaging autoforwardportergit it will be packaged as part of that) in it's present form doesn't make much sense. It would certainly be possible to generalize it, but that would require thought/decisions on how best to do that.
Thinking more about the possibility of importing the entire history of a source package it is more problematic than my off the cuff reply implied. It would be easy to modify pooltogit to try to retrieve the entire history, but for a large proportion of packages this would result in a failure to import for several reasons.
1. Changelogs sometimes include versions that were never uploaded to Debian. I suspect they also sometimes include versions that were uploaded but were superseded before they made it to a snapshot.
2. Snapshot.debian.org is only offered over plain insecure http. For recent versions the packages can be verified against the Packages/Sources files which can in turn be verified with gpg but older versions are more problematic to verify as the relevant packages/sources files are only signed with 1024 bit keys or not signed at all. This is made worse by the fact that snapshot.debian.org has an API to obtain the first snapshot a package is available in but not any API to find the last snapshot it was available in.
3. Some packages aren't on snapshot.debian.org at all due to age.
4. Some packages are blocked on snapshot.debian.org due to license issues.