On 8/28/19 4:00 PM, Sam Hartman wrote: > > Back in the day, one of the big reasons for separating .orig.tar.gz from > .diff.gz was to reuse upstream tarballs for space reasons, both in terms > of space on mirrors when the pool had two Debian revisions with the same > upstream, as well as to reduce upload time. > Besides the clear separation of upstream content and downstream tweaks an important quality of this concept is immutability of the upstream code that has already been obtained, inspected, signed by a DD/DM and subsequently deposited into Debian archive. I've seen cases where obtaining an upstream tarball from an official upstream website at two different points in time results in slightly different content. I've also seen developers deleting a git tag and then creating a new git tag using exactly the same name/release number pointing to different commit. And finally downloading a dynamically created tarball based on a git tag does not mean you'll get exactly the same content every time either because the currently running archiving/compressing tools have changed or because of already mentioned human factors. Git commit hash is somewhat more reliable than a git tag but reliance on SHA-1 hash has also been mentioned as a step backward as Debian has moved on to a more advanced hash algorithm. These and other possibly unforeseen problems make the concept of immutable upstream code deposited in the Debian archive very appealing and surely more reliable compared to the Git tag method of sourcing. Milan
Attachment:
signature.asc
Description: OpenPGP digital signature