Updating the package
====================
-1. Run d/make_orig_multi.sh.
+1. Run d/make_orig_multi.sh <version>.
2. Verify the -deps component tarball to make sure it looks good.
If not, edit d/make_orig_multi.sh and the surrounding files (such as patches
and exclude files) and repeat the above until it looks good.
3. $ git fetch upstream
You might have to first run:
$ git remote add upstream https://github.com/rust-lang/cargo
-4. $ gbp import-orig ../cargo_0.16.0.orig.tar.gz
+4. $ gbp import-orig ../cargo_<version>.orig.tar.gz
If you get errors, check the extra default flags in d/gbp.conf
General info
--- /dev/null
+# This is a list of files and dirs that are omitted from our custom
+# "suspicious files" scanner
+
+# test data
+flate2-*/tests/
+tar-*/tests/archives/
+term-*/tests/data/
+toml-*/tests/
+
+# misc support data
+hamcrest-*/LICENSE-*
+*/.travis.yml
+# "build status" link-images etc take up a lot of line-length
+*/README.md
+
+# individual files, manually audited:
+idna-*/tests/IdnaTest.txt
+idna-*/src/uts46_mapping_table.rs
+regex-*/src/testdata/basic.dat
+regex-*/tests/fowler.rs
+libgit2-sys-*/libgit2/src/openssl_stream.c
+term-*/scripts/id_rsa.enc
+url-*/github.png
+num-*/doc/favicon.ico
+num-*/doc/rust-logo-128x128-blk-v2.png
+num-*/.travis/deploy.enc
+miniz-sys-*/miniz.c
+docopt-*/src/test/testcases.rs
+winapi-*/src/winnt.rs
BOOTSTRAP_PY=$(find "${PWD}" -name bootstrap.py -type f)
DEPS_FILTER=$(find "${PWD}" -name deps-tarball-filter.txt -type f)
+DEPS_SUS_WHITELIST=$(find "${PWD}" -name deps-tarball-unsuspicious.txt -type f)
# Download cargo tarball
uscan --rename ${USCAN_ARGS} --force-download --destdir "${TMPDIR}/"
# Unpack artifacts and clean embedded libs
${WORKDIR}/debian/cargo-vendor-unpack.py
-grep -v '^#' ${DEPS_FILTER} | xargs -I% sh -c 'rm -rf deps/%' &&
-tar -czf "${TMPDIR}/cargo_${CARGO_VER}.orig-deps.tar.gz" deps
+grep -v '^#' ${DEPS_FILTER} | xargs -I% sh -c 'rm -rf deps/%'
+
+# Report any suspicious files
+cp -R deps deps-scan
+grep -v '^#' ${DEPS_SUS_WHITELIST} | xargs -I% sh -c 'rm -rf deps-scan/%'
+echo "Checking for suspicious files..."
+# The following shell snippet is a bit more strict than suspicious-source(1)
+find deps-scan -type f -and -not -name '.cargo-checksum.json' -exec file '{}' \; | \
+ sed -e 's/\btext\b\(.*\), with very long lines/verylongtext\1/g' | \
+ grep -v '\b\(text\|empty\)\b' || true
+echo "The above files (if any) seem suspicious, please audit them."
+echo "If good, add them to ${DEPS_SUS_WHITELIST}."
+echo "If bad, add them to ${DEPS_FILTER}."
+rm -rf deps-scan
+
+# Pack it up, reproducibly
+GZIP=-9n tar --sort=name \
+ --mtime="./Cargo.lock" \
+ --owner=root --group=root \
+ -czf "${TMPDIR}/cargo_${CARGO_VER}.orig-deps.tar.gz" deps
# All is good, we are done!
echo "Your files are available at:"
echo "${TMPDIR}/cargo_${CARGO_VER}.orig.tar.gz \\"
echo "${TMPDIR}/cargo_${CARGO_VER}.orig-deps.tar.gz"
echo ""
-echo "Unpacked cargo sources are availabe under:"
+echo "Unpacked cargo sources are available under:"
echo "${TMPDIR}/cargo/"
projects / cargo.git / commitdiff