update build script to remove PKG_VERSION, use only PKG_PATH or PKG_GITREF modes.

[zenmonkeykstop]

Fixes #426

Removes option to build using PKG_VERSION. Build options are now PKG_PATH and PKG_GITREF:

• when invoked without either PKG_PATH or GITREF set, will error out (previously built last known release)
• when invoked with PKG_PATH, will use the source tree or tarball at $PKG_PATH to build package (no checkout, no tag verification)
• when invoked with PKG_GITREF, will check out corresponding gitref attempt release key verification verification if PKG_GITREF looks like a release tag (catching sneaky branches!) and, if all is well, build package

In all cases the package version will be derived from the latest version in the source tree's debian/changelog If a release tag PKG_GITREF is specified and doesn't match the changelog version, the build will not proceed.

Testing:

• test building an old prod tag X.Y.Z with PKG_GITREF=X.Y.Z scripts/build-debianpackage
• test building a non-prod tag or branch with PKG_GITREF=<ref here> scripts/build-debianpackage
• test building an existing source tree with PKG_PATH=../securedrop-foo scripts/build-debianpackage

[zenmonkeykstop]

This is why I had this PR in draft - this check breaks CI and will probably break nightlies, as the versions won't match. could keep it and apply only for tags matching prod format regex...

[legoktm]

Nothing wrong with your code from a quick skim, but I'm not really sure we need to keep PKG_VERSION around? It currently does only two things 1) verify prod signed tag 2) print out what version we're using.

No. 2 is duplicative of dpkg-buildpackage's own message ("dpkg-buildpackage: info: source package securedrop-client
" & "dpkg-buildpackage: info: source version 0.9.0-rc2+bullseye").

So that just leaves No. 1, verifying the prod signed tag. And I feel like there's a better way to do that... for example, we could run git tag --points-at HEAD and see whether it prints a \d+?\.\d+?\.\d+? matching string and if so, verify against the prod key.

[zenmonkeykstop]

I'd go so far as to say (2) is actually misleading (hence the PR) - the package version is determined by the changelog, not by the tagged version that gets checked out. IMO we still have 3 basic cases to cover:

• like, build whatever source tree we get pointed at (wanna build a branch? nightlies? wanna build an rc? this is for you)
• check out an arbitrary ref and build it (wanna build as above without the hassle of prepping a source tree? et voila)
• check out a ref we expect to have a prod-signed tag and if so, build it (ok this is a serious build, let's be duly diligent)

But maybe what this actually points to is that we should be decomposing this script, doing the source tree prep and optional verification elsewhere if required, always just providing the prepped source tree, and focusing on the debian build bits.

[legoktm]

I'd go so far as to say (2) is actually misleading (hence the PR) - the package version is determined by the changelog, not by the tagged version that gets checked out.

Agreed.

IMO we still have 3 basic cases to cover:

• like, build whatever source tree we get pointed at (wanna build a branch? nightlies? wanna build an rc? this is for you)

• check out an arbitrary ref and build it (wanna build as above without the hassle of prepping a source tree? et voila)

• check out a ref we expect to have a prod-signed tag and if so, build it (ok this is a serious build, let's be duly diligent)

The third bullet is really just a special case of the second, no? In the MediaWiki release script that's basically how I treated it - accept any git ref, but if that ref is a tag, perform extra checks: https://gitlab.wikimedia.org/repos/releng/release/-/blob/f9857bd33d694aa6c492372f4111f599a3df6c87/make-release/makerelease2.py#L82

But maybe what this actually points to is that we should be decomposing this script, doing the source tree prep and optional verification elsewhere if required, always just providing the prepped source tree, and focusing on the debian build bits.

"Yes, but..." I think that would be the ideal state to end up in, but I think we right now don't have a lot of confidence/trust in our builds yet because it is convoluted that I think having just one thing to run for now is better and once the whole process is simpler we can start breaking it down a bit.

[zenmonkeykstop]

OK this is probably in better shape if @legoktm or anyone else has 👀 time. PKG_VERSION dropped altogether, some hip-height guardrails added around production builds. (Note that I'm choosing to verify if the ref provided just looks like a tag, this is intentional to catch branches named using the release tag format.)

[legoktm]

Minor thing, otherwise looks good. I do think we have officially reached the limits of what we can safely + easily do in bash scripting and any more complexity likely needs a Python port first.

[legoktm]

Unnecessary ) ?

[zenmonkeykstop]

Nuked!

[zenmonkeykstop]

Minor thing, otherwise looks good. I do think we have officially reached the limits of what we can safely + easily do in bash scripting and any more complexity likely needs a Python port first.

I'd agree with this assessment, was hard to resist the temptation.

[legoktm]

LGTM, test plan checks out. Docs PR is in progress, don't think we need to block on that.