|
|
@node Gnulib Git Bundle |
|
|
@section Gnulib Git Bundle |
|
|
|
|
|
To provide a serialized archival copy of the Gnulib Git repository we |
|
|
publish Git Bundles (@url{https: |
|
|
Gnulib at @url{https: |
|
|
if Savannah happens to be offline or if you want to have a GnuPG |
|
|
signed confirmation of the Gnulib content. |
|
|
|
|
|
The files are named like @code{gnulib-YYYYMMDD.bundle}, for example |
|
|
@code{gnulib-20250729.bundle}, where @code{YYYYMMDD} corresponds to |
|
|
the Git commit date (in UTC0) of the last commit on the @code{master} |
|
|
branch in the bundle. |
|
|
|
|
|
After downloading the Git bundle you may use it to create a local |
|
|
gnulib clone using normal Git commands: |
|
|
|
|
|
@example |
|
|
wget -nv https: |
|
|
git clone gnulib-20250729.bundle gnulib |
|
|
cd gnulib |
|
|
@end example |
|
|
|
|
|
Below are SHA-256 checksums of known releases: |
|
|
|
|
|
@example |
|
|
9dae009ef9dd7cff17b74c0cda5d7a423e2ed98b4f5b7aa29a970565b0591c06 gnulib-20250303.bundle |
|
|
f01e423a7ef6b48e947fabd24bb11744204f4549342416e15dc64f427caa32e2 gnulib-20250729.bundle |
|
|
@end example |
|
|
|
|
|
Next to the Git Bundle is a GnuPG signature on the file, named |
|
|
@code{gnulib-YYYYMMDD.bundle.sig}, which can be verified using GnuPG |
|
|
as usual: |
|
|
|
|
|
@example |
|
|
gpg --verify gnulib-20250729.bundle.sig |
|
|
@end example |
|
|
|
|
|
Or using the simpler @code{gpgv} tool like this: |
|
|
|
|
|
@example |
|
|
gpgv gnulib-20250729.bundle.sig gnulib-20250729.bundle |
|
|
@end example |
|
|
|
|
|
The following GnuPG keys have signed releases: |
|
|
|
|
|
@example |
|
|
sec> ed25519 2019-03-20 [SC] https: |
|
|
B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE |
|
|
uid [ultimate] Simon Josefsson <simon@@josefsson.org> |
|
|
@end example |
|
|
|
|
|
We desire that the Gnulib Git bundles will be forever bit-by-bit |
|
|
reproducible for others from the official git repository. Currently |
|
|
gnulib maintainers may invoke the following commands to prepare and |
|
|
upload a Gnulib git bundle. We appreciate ideas on how to improve |
|
|
these set of commands (or the upstream Git tool) to make further |
|
|
supply-chain security related improvements. |
|
|
|
|
|
@example |
|
|
cd $(mktemp -d) |
|
|
REV=225973a89f50c2b494ad947399425182dd42618c # master branch commit to package |
|
|
S1REV=475dd38289d33270d0080085084bf687ad77c74d # stable-202501 branch commit |
|
|
S2REV=e8cc0791e6bb0814cf4e88395c06d5e06655d8b5 # stable-202507 branch commit |
|
|
git clone https: |
|
|
cd gnulib |
|
|
git fsck # attempt to validate input |
|
|
# Manually inspect that the new tree matches a trusted previous copy |
|
|
git checkout -B master $REV # put $REV at master |
|
|
# Add all stable-* branches locally: |
|
|
for b in $(git branch -r | grep origin/stable- | sort --version-sort); do git checkout $@{b#origin/@}; done |
|
|
git checkout -B stable-202501 $S1REV |
|
|
git checkout -B stable-202507 $S2REV |
|
|
git remote remove origin # drop some unrelated branches |
|
|
git gc --prune=now # drop any unrelated commits, not clear this helps |
|
|
git -c pack.threads=1 repack -adF |
|
|
git -c 'pack.threads=1' bundle create gnulib.bundle --all |
|
|
V=$(env TZ=UTC0 git show -s --date=format:%Y%m%d --pretty=%cd master) |
|
|
mv gnulib.bundle gnulib-$V.bundle |
|
|
build-aux/gnupload --to ftp.gnu.org:gnulib gnulib-$V.bundle |
|
|
@end example |
|
|
|
