Conflict between debian/upstream (DEP-12) & debian/upstream/ (uscan)

To: debian-devel@lists.debian.org
Subject: Conflict between debian/upstream (DEP-12) & debian/upstream/ (uscan)
From: James McCoy <jamessan@debian.org>
Date: Thu, 6 Feb 2014 23:49:23 -0500
Message-id: <[🔎] 20140207044923.GF3325@cerberus.jamessan.com>
Mail-followup-to: debian-devel@lists.debian.org

Hi all,

In devscripts 2.13.3, uscan gained the ability to verify signature of
the upstream tarball using a file debian/upstream-signing-key.pgp.  In
2.14.0, I added the ability to use armored keys and decided to move the
files under debian/upstream/, an idea which had been suggested by a few
people.

This introduced a conflict with DEP-12 (c.f., #736760), which uses
debian/upstream to track metadata about the upstream project.  Tools
like umegaya[0] and Debian Med's task list[1] use the information
provided in this file.

[0]: http://upstream-metadata.debian.net/
[1]: http://blends.debian.org/med/tasks/

Part of the reason I chose to use debian/upstream/ is that an extensible
location for upstream related information (similar in spirit to
debian/source/) could be useful.  I also was unaware of (or had
forgotten about) DEP-12's existing use of debian/upstream, which was
appropriated around 01/2012 as the new name for
debian/upstream-metadata.yaml.

This leads to the question of how to move forward from here?

Transitioning to debian/upstream/ would require:

- Choosing a new name for DEP-12's file and updating the wording in
  DEP-12.  My suggestion would be debian/upstream/metadata.

- Updating the data collection code for umegaya and Debian Blends, the
  latter of which has an initial patch[2] based on my suggestion in 1).

- Renaming the file in the VCS repositories for all packages providing
  this information.  This is ~350 packages according to
  ullman:/srv/udd.debian.org/mirrors/machine-readable, which doesn't
  include packages that still haven't transitioned from
  upstream-metadata.yaml.  Note, that this only needs to happen in the
  VCS and not a source upload.

[2]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736760#35

Sticking with the status quo would require:

- Changing uscan to look for debian/upstream-signing-keys.{pgp,asc}

- Updating the ~17 packages that have started using debian/upstream/

While the latter is less work, my preference would be for the former
since it provides a consistent place to look for upstream information
in the context of a Debian source package.  It seems unlikely to me both
that uscan/DEP-12 will be the only projects that will want access to
upstream-related information and that any other information would
necessarily fit into one of those two buckets that they understand.

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan@debian.org>

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Conflict between debian/upstream (DEP-12) & debian/upstream/ (uscan)
  - From: Paul Wise <pabs@debian.org>
- Re: Conflict between debian/upstream (DEP-12) & debian/upstream/ (uscan)
  - From: "Daniel Leidert" <Daniel.Leidert.Spam@gmx.net>

Prev by Date: Re: Process spervision with Monit support in init systems (was: Upstart support for LSB headers (Two line init.d scripts? Sure, that will work!))
Next by Date: Re: Conflict between debian/upstream (DEP-12) & debian/upstream/ (uscan)
Previous by thread: Work-needing packages report for Feb 7, 2014
Next by thread: Re: Conflict between debian/upstream (DEP-12) & debian/upstream/ (uscan)
Index(es):
- Date
- Thread