In each Ubuntu Kernel Team git repository the Ubuntu-* tags represent the git commit which was used to build the official source package for any particular upload. For instance in the ubuntu-precice git the tag Ubuntu-3.2.0-23.36 represents the 3.2.0-23.36 source upload. Some tags have an additional -lts- component indicating they are the official LTS backport for the containing release, in the ubuntu-lucid git repository the tag Ubuntu-lts-3.0.0-18.31 represents the 3.0.0-18.31 oneiric LTS backport for lucid.
You can use the Launchpad versions page for the linux package to determine the current versions uploaded into each pocket of each release:
https://www.launchpad.net/ubuntu/+source/linux
All recent tags should be signed by the committer to prevent modification. You should be safe to build any official tag and expect to get a substantially similar result to the uploaded binary packages for that release.
Short answer: to get it all, you have to download the source packages individually; there is no single public browsing service for Ubuntu generally available today. But we're working on it!
Long answer:
The canonical source code for all of Ubuntu is available as source packages. You can go to https://launchpad.net/ubuntu/+source/hello, for example, click on one of the version numbers, and you can download the sources from the Downloads section. To find the source for every version of hello ever published by Ubuntu, you can follow the link to view its full publishing history and click on any version number string from there. The same URL pattern works for any source package; you just need to know the name of the source package.
The source packages are canonical because they are the basic unit that Ubuntu developers work with to develop Ubuntu. But they are somewhat unwieldy;
unpacking a source package needs some tooling. dget, from the devscripts package, can download, verify and unpack a source package in one command if you give it the URL to the dsc file.
This is, of course, not very convenient.
Years ago, there was an effort to make this better. Ubuntu called it "Ubuntu Distributed Development", or UDD for short, and developed a distributed version control system called Bazaar to try to solve this problem. As part of this effort, source packages were automatically imported into the Bazaar VCS hosting platform on Launchpad as they were published. At that time, you could theoretically find the source code for any package at code.launchpad.net. For example, you can still see the Bazaar-imported sources for the hello package for the Precise and Trusty Ubuntu releases at https://code.launchpad.net/ubuntu/+source/hello.
Bazaar focused on a specific set of use cases, and had a very well thought out command line interface. Jelmer Vernooij, one of its developers, has written an interesting retrospective on the development of Bazaar, including how this fitted in with the other distributed version control systems being developed at the time.
In time, git took over the world, and Bazaar took a back seat. Meanwhile, UDD had started to show its cracks. An increasing number of packages failed to import and needed manual intervention to fix. This meant that, even as Ubuntu development on source packages continued, the Bazaar view of those packages at code.launchpad.net failed to be updated.
Eventually, the UDD importer was turned off because nobody was maintaining it and it wasn't considered worth keeping it running.
Concurrently to this, in 2014 I published some notes on how I was using git to perform Ubuntu development; even though at the time Ubuntu packages weren't being maintained in git in general.
This git-based workflow has been adopted by my team (the Ubuntu Server team) and we have continued to work on making Ubuntu sources available through git. A colleague and I have started writing a blog series (as yet unfinished) explaining what we're doing.
The git repositories you found for some packages are a result of our importer (~usd-import-team). We're still actively working on this, which is why not all packages are available this way yet. We are not yet at "beta" stage, expect to re-import all packages before we are ready (breaking all previous commit hashes), and aren't keeping all imported repositories up to date with the latest Ubuntu development work yet. But where we have imported a particular version of a package, it should be accurate enough to browse.
We hope to ramp up to importing all packages and keeping them up-to-date automatically in the next few months.
One of our goals is exactly to solve the question you're asking: to have a single official place on Launchpad where all Ubuntu source code can be browsed.
Best Answer
Well, the dsc file is signed and contains hashes of the files to be downloaded:
So a signed dsc file with checksums of the tarballs in it ~ closest you'll get to signed source code.
It does try.
apt-getdoes attempt to verify it:But in my case it didn't succeed because I hadn't imported the corresponding key yet. The dsc files are usually signed by the developer who created it, and AFAICT there is no single place where all such keys are listed. The various Ubuntu developers are members of various groups on Launchpad, and the Launchpad profiles of the developers should list their GPG keys. For example, see the Ubuntu Kernel Uploaders team, or the combined Ubuntu Developers team (which in turn includes many other teams).
In this specific case, the signer is Canonical employee Stefan Bader. You can fetch the key from the Ubuntu keyserver, but you might want to do so using HKPS.
The
dscverifytool can be used for that.Well, going by Stefan Bader's or Andy Whitcroft's (who seems to have signed this tag, for example) keyserver listings, yes.