aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/changelog65
-rw-r--r--debian/compat1
-rw-r--r--debian/control23
-rw-r--r--debian/copyright19
-rw-r--r--debian/gbp.conf10
-rw-r--r--debian/lintian-overrides2
-rw-r--r--debian/patches/0001-joeyh-patches.patch260
-rw-r--r--debian/patches/series1
-rwxr-xr-xdebian/rules11
-rw-r--r--debian/source/format1
-rw-r--r--debian/source/lintian-overrides1
11 files changed, 394 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..4882397
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,65 @@
+git-remote-gcrypt (0.20130908-8) unstable; urgency=medium
+
+ * Adopt git-remote-gcrypt package (Closes: #771020).
+ * Install man page using rst2man, rather than just installing README.rst
+ (Closes: #725455).
+ * Add Vcs-Git: & Vcs-Browser: pointing at my repository.
+ * Switch dpkg-source format to 3.0 (quilt).
+ * Move changes by Joey Hess into a quilt patch.
+ Update debian/copyright accordingly.
+ * Bump Standards-Version.
+ * Add debian/gbp.conf.
+ * Override Lintian tags no-upstream-changelog & debian-watch-file-is-missing.
+
+ -- Sean Whitton <spwhitton@spwhitton.name> Thu, 07 Jan 2016 11:03:01 -0700
+
+git-remote-gcrypt (0.20130908-7) unstable; urgency=medium
+
+ * Added gcrypt.publish-participants configuration setting.
+
+ -- Joey Hess <joeyh@debian.org> Tue, 15 Jul 2014 17:40:22 -0400
+
+git-remote-gcrypt (0.20130908-6) unstable; urgency=medium
+
+ * Fix to work when there is no controlling terminal, but GPG_AGENT_INFO
+ is set. Pass --no-tty to gpg in this situation. This is needed
+ to interoperate with the git-annex assistant, which often runs without
+ a controlling terminal, and will in a new version always do so.
+
+ -- Joey Hess <joeyh@debian.org> Thu, 15 May 2014 14:35:03 -0400
+
+git-remote-gcrypt (0.20130908-5) unstable; urgency=low
+
+ * Better signature validation for subkeys.
+ Closes https://github.com/blake2-ppc/git-remote-gcrypt/pull/7
+ * Stop passing --fast-list to gpg as this sometimes causes it to not
+ display key fingerprints, which git-remote-gcrpyt needs.
+ Closes https://github.com/blake2-ppc/git-remote-gcrypt/issues/8
+
+ -- Joey Hess <joeyh@debian.org> Thu, 26 Sep 2013 15:58:52 -0400
+
+git-remote-gcrypt (0.20130908-4) unstable; urgency=low
+
+ * Added --check option.
+
+ -- Joey Hess <joeyh@debian.org> Thu, 19 Sep 2013 12:10:24 -0400
+
+git-remote-gcrypt (0.20130908-3) unstable; urgency=low
+
+ * Add remote.<name>.gcrypt-signingkey config.
+
+ -- Joey Hess <joeyh@debian.org> Tue, 17 Sep 2013 15:33:35 -0400
+
+git-remote-gcrypt (0.20130908-2) unstable; urgency=low
+
+ * Set --trust-model=always when encrypting.
+ Needed to interoperate with git-annex.
+ Closes https://github.com/blake2-ppc/git-remote-gcrypt/issues/3
+
+ -- Joey Hess <joeyh@debian.org> Mon, 16 Sep 2013 15:49:16 -0400
+
+git-remote-gcrypt (0.20130908-1) unstable; urgency=low
+
+ * Initial release.
+
+ -- Joey Hess <joeyh@debian.org> Sun, 08 Sep 2013 20:08:23 -0400
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..ae8f9d2
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,23 @@
+Source: git-remote-gcrypt
+Section: vcs
+Priority: optional
+Build-Depends: debhelper (>= 9), python-docutils (>= 0.12+dfsg)
+Maintainer: Sean Whitton <spwhitton@spwhitton.name>
+Standards-Version: 3.9.6
+Homepage: https://github.com/bluss/git-remote-gcrypt
+Vcs-Git: https://git.spwhitton.name/git-remote-gcrypt
+Vcs-Browser: https://git.spwhitton.name/?p=git-remote-gcrypt.git;a=summary
+
+Package: git-remote-gcrypt
+Architecture: all
+Depends: git, gnupg | gnupg2, ${misc:Depends}
+Recommends: rsync, curl
+Description: encrypted git repositories
+ This lets git store git repositories in encrypted form.
+ It supports storing repositories on rsync or sftp servers.
+ It can also store the encrypted git repository inside a remote git
+ repository. All the regular git commands like git push and git pull
+ can be used to operate on such an encrypted repository.
+ .
+ The aim is to provide confidential, authenticated git storage and
+ collaboration using typical untrusted file hosts or services.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..8eca5c0
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,19 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: https://github.com/bluss/git-remote-gcrypt
+
+Files: *
+Copyright: (C) 2013 engla
+License: GPL-2+
+
+Files: debian/*
+Copyright: (C) 2015 Sean Whitton <spwhitton@spwhitton.name>
+ (C) 2013, 2014 Joey Hess <id@joeyh.name>
+License: GPL-2+
+
+Files: debian/patches/0001-joeyh-patches.patch
+Copyright: (C) 2013, 2014 Joey Hess <id@joeyh.name>
+License: GPL-2+
+
+License: GPL-2+
+ On Debian systems, the complete text of the GPL-2 can be found in
+ /usr/share/common-licenses/GPL-2.
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..4f39baa
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,10 @@
+[DEFAULT]
+upstream-branch = upstream
+debian-branch = master
+upstream-tag = %(version)s
+debian-tag = debian/%(version)s
+
+#postbuild = lintian $GBP_CHANGES_FILE
+color = on
+compression = gz
+compression-level = 9
diff --git a/debian/lintian-overrides b/debian/lintian-overrides
new file mode 100644
index 0000000..0aa67ea
--- /dev/null
+++ b/debian/lintian-overrides
@@ -0,0 +1,2 @@
+no-upstream-changelog
+
diff --git a/debian/patches/0001-joeyh-patches.patch b/debian/patches/0001-joeyh-patches.patch
new file mode 100644
index 0000000..14db716
--- /dev/null
+++ b/debian/patches/0001-joeyh-patches.patch
@@ -0,0 +1,260 @@
+From: Sean Whitton <spwhitton@spwhitton.name>
+Date: Sat, 12 Dec 2015 16:06:55 -0700
+Subject: joeyh-patches
+
+---
+ README.rst | 32 +++++++++++++++++--
+ git-remote-gcrypt | 93 +++++++++++++++++++++++++++++++++++++++++--------------
+ 2 files changed, 98 insertions(+), 27 deletions(-)
+
+diff --git a/README.rst b/README.rst
+index f177913..ba06259 100644
+--- a/README.rst
++++ b/README.rst
+@@ -60,10 +60,25 @@ The following ``git-config(1)`` variables are supported:
+ The ``gcrypt-participants`` setting on the remote takes precedence
+ over the repository variable ``gcrypt.participants``.
+
++``remote.<name>.gcrypt-publish-participants``
++ ..
++``gcrypt.publish-participants``
++ By default, the gpg key ids of the participants are obscured by
++ encrypting using `gpg -R`. Setting this option to `true` disables
++ that security measure.
++
++ The problem with using `gpg -R` is that to decrypt, gpg tries each
++ available secret key in turn until it finds a usable key.
++ This can result in unncessary passphrase prompts.
++
++``remote.<name>.gcrypt-signingkey``
++ ..
+ ``user.signingkey``
+- (From regular git configuration) The key to use for signing. You
+- should set ``user.signingkey`` if your default signing key is not
+- part of the participant list.
++ (The latter from regular git configuration) The key to use for signing.
++ You should set ``user.signingkey`` if your default signing key is not
++ part of the participant list. You may use the per-remote version
++ to sign different remotes using different keys.
++
+
+ Environment Variables
+ =====================
+@@ -170,6 +185,17 @@ Each item extends until newline, and matches one of the following:
+ ``extn <name> ...``
+ Extension field, preserved but unused.
+
++Detecting gcrypt repos
++======================
++
++To detect if a git url is a gcrypt repo, use: git-remote-gcrypt --check url
++Exit status if 0 if the repo exists and can be decrypted, 1 if the repo
++uses gcrypt but could not be decrypted, and 100 if the repo is not
++encrypted with gcrypt (or could not be accessed).
++
++Note that this has to fetch the repo contents into the local git
++repository, the same as is done when using a gcrypt repo.
++
+ See Also
+ ========
+
+diff --git a/git-remote-gcrypt b/git-remote-gcrypt
+index bb19652..8d68669 100755
+--- a/git-remote-gcrypt
++++ b/git-remote-gcrypt
+@@ -18,7 +18,6 @@
+ # See README.rst for usage instructions
+
+ set -e # errexit
+-set -u # nounset
+ set -f # noglob
+ set -C # noclobber
+
+@@ -177,8 +176,10 @@ update_tree()
+ {
+ local tab_=" "
+ # $2 is a filename from the repo format
+- (git ls-tree "$1" | xgrep -v -E '\b'"$2"'$';
+- xecho "100644 blob $3$tab_$2") | git mktree
++ (set +e;
++ git ls-tree "$1" | xgrep -v -E '\b'"$2"'$';
++ xecho "100644 blob $3$tab_$2"
++ ) | git mktree
+ }
+
+ # Put giturl $1, file $2
+@@ -313,14 +314,14 @@ CLEAN_FINAL()
+
+ ENCRYPT()
+ {
+- gpg --batch --force-mdc --compress-algo none --passphrase-fd 3 -c 3<<EOF
++ rungpg --batch --force-mdc --compress-algo none --trust-model=always --passphrase-fd 3 -c 3<<EOF
+ $1
+ EOF
+ }
+
+ DECRYPT()
+ {
+- gpg -q --batch --no-default-keyring --secret-keyring /dev/null \
++ rungpg -q --batch --no-default-keyring --secret-keyring /dev/null \
+ --keyring /dev/null --passphrase-fd 3 -d 3<<EOF
+ $1
+ EOF
+@@ -333,7 +334,7 @@ PRIVENCRYPT()
+ if isnonnull "$Conf_signkey"; then
+ set -- "$@" -u "$Conf_signkey"
+ fi
+- gpg --compress-algo none -se "$@"
++ rungpg --compress-algo none --trust-model=always -se "$@"
+ }
+
+ # $1 is the match for good signature, $2 is the textual signers list
+@@ -341,7 +342,7 @@ PRIVDECRYPT()
+ {
+ local status_=
+ exec 4>&1 &&
+- status_=$(gpg --status-fd 3 -q -d 3>&1 1>&4) &&
++ status_=$(rungpg --status-fd 3 -q -d 3>&1 1>&4) &&
+ xfeed "$status_" grep "^\[GNUPG:\] ENC_TO " >/dev/null &&
+ (xfeed "$status_" grep -e "$1" >/dev/null || {
+ echo_info "Failed to verify manifest signature!" &&
+@@ -353,17 +354,29 @@ PRIVDECRYPT()
+ # Generate $1 random bytes
+ genkey()
+ {
+- gpg --armor --gen-rand 1 "$1"
++ rungpg --armor --gen-rand 1 "$1"
+ }
+
+ gpg_hash()
+ {
+ local hash_=
+- hash_=$(gpg --with-colons --print-md "$1" | tr A-F a-f)
++ hash_=$(rungpg --with-colons --print-md "$1" | tr A-F a-f)
+ hash_=${hash_#:*:}
+ xecho "${hash_%:}"
+ }
+
++rungpg()
++{
++ # gpg will fail to run when there is no controlling tty,
++ # due to trying to print messages to it, even if a gpg agent is set
++ # up. --no-tty fixes this.
++ if [ "x$GPG_AGENT_INFO" != "x" ]; then
++ gpg --no-tty "$@"
++ else
++ gpg "$@"
++ fi
++}
++
+ # Pass the branch/ref by pipe to git
+ safe_git_rev_parse()
+ {
+@@ -388,10 +401,13 @@ make_new_repo()
+ # $1 return var for goodsig match, $2 return var for signers text
+ read_config()
+ {
+- local recp_= r_keyinfo= cap_= conf_part= good_sig= signers_=
+- Conf_signkey=$(git config --path user.signingkey || :)
++ local recp_= r_keyinfo= r_keyfpr= gpg_list= cap_= conf_part= good_sig= signers_=
++ Conf_signkey=$(git config --get "remote.$NAME.gcrypt-signingkey" '.+' ||
++ git config --path user.signingkey || :)
+ conf_part=$(git config --get "remote.$NAME.gcrypt-participants" '.+' ||
+ git config --get gcrypt.participants '.+' || :)
++ Conf_pubish_participants=$(git config --get --bool "remote.$NAME.gcrypt-publish-participants" '.+' ||
++ git config --get --bool gcrypt.publish-participants || :)
+
+ # Figure out which keys we should encrypt to or accept signatures from
+ if isnull "$conf_part" || iseq "$conf_part" simple
+@@ -406,22 +422,33 @@ read_config()
+
+ for recp_ in $conf_part
+ do
+- filter_to @r_keyinfo "pub*" \
+- "$(gpg --with-colons --fast-list -k "$recp_")"
++ gpg_list=$(rungpg --with-colons --fingerprint -k "$recp_")
++ filter_to @r_keyinfo "pub*" "$gpg_list"
++ filter_to @r_keyfpr "fpr*" "$gpg_list"
+ isnull "$r_keyinfo" || isnonnull "${r_keyinfo##*"$Newline"*}" ||
+ echo_info "WARNING: '$recp_' matches multiple keys, using one"
++ isnull "$r_keyfpr" || isnonnull "${r_keyfpr##*"$Newline"*}" ||
++ echo_info "WARNING: '$recp_' matches multiple fingerprints, using one"
+ r_keyinfo=${r_keyinfo%%"$Newline"*}
++ r_keyfpr=${r_keyfpr%%"$Newline"*}
+ keyid_=$(xfeed "$r_keyinfo" cut -f 5 -d :)
++ fprid_=$(xfeed "$r_keyfpr" cut -f 10 -d :)
+
+- isnonnull "$keyid_" &&
++ isnonnull "$fprid_" &&
+ signers_="$signers_ $keyid_" &&
+- append_to @good_sig "^\[GNUPG:\] GOODSIG $keyid_" || {
++ append_to @good_sig "^\[GNUPG:\] VALIDSIG .*$fprid_$" || {
+ echo_info "WARNING: Skipping missing key $recp_"
+ continue
+ }
+ # Check 'E'ncrypt capability
+ cap_=$(xfeed "$r_keyinfo" cut -f 12 -d :)
+- iseq "${cap_#*E}" "$cap_" || Recipients="$Recipients -R $keyid_"
++ if ! iseq "${cap_#*E}" "$cap_"; then
++ if [ "$Conf_pubish_participants" = true ]; then
++ Recipients="$Recipients -r $keyid_"
++ else
++ Recipients="$Recipients -R $keyid_"
++ fi
++ fi
+ done
+
+ if isnull "$Recipients"
+@@ -778,14 +805,8 @@ cleanup_tmpfiles()
+ rm -r -f -- "${Tempdir}" >&2
+ }
+
+-# handle git-remote-helpers protocol
+-gcrypt_main_loop()
++setup()
+ {
+- local input_= input_inner= r_args= temp_key=
+-
+- NAME=$1 # Remote name
+- URL=$2 # Remote URL
+-
+ mkdir -p "$Localdir"
+
+ # Set up a subdirectory in /tmp
+@@ -797,6 +818,17 @@ gcrypt_main_loop()
+ trap 'exit 1' 1 2 3 15
+
+ echo_info "Development version -- Repository format MAY CHANGE"
++}
++
++# handle git-remote-helpers protocol
++gcrypt_main_loop()
++{
++ local input_= input_inner= r_args= temp_key=
++
++ NAME=$1 # Remote name
++ URL=$2 # Remote URL
++
++ setup
+
+ while read input_
+ do
+@@ -848,4 +880,17 @@ gcrypt_main_loop()
+ done
+ }
+
+-gcrypt_main_loop "$@"
++if [ "x$1" = x--check ]
++then
++ NAME=dummy-gcrypt-check
++ URL=$2
++ setup
++ ensure_connected
++ git remote remove $NAME 2>/dev/null || true
++ if iseq "$Did_find_repo" "no"
++ then
++ exit 100
++ fi
++else
++ gcrypt_main_loop "$@"
++fi
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..945da4e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-joeyh-patches.patch
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..26ba625
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,11 @@
+#!/usr/bin/make -f
+%:
+ dh $@
+
+override_dh_auto_build:
+ true
+override_dh_auto_clean:
+ true
+
+override_dh_auto_install:
+ prefix=/usr DESTDIR=debian/git-remote-gcrypt ./install.sh
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
new file mode 100644
index 0000000..45d1f2a
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1 @@
+debian-watch-file-is-missing