[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: nixnote2/2.0.2-2~bpo9+1

On Sun, 15 Oct 2017 at 16:52:45 +0800, Boyuan Yang wrote:
> However, I noticed that the sponsored upload did not include original tarball. 
> Is that intentional or a mistake?

If the upload wasn't rejected by the archive software then it's fine :-)

> I know that for any upload other than -1, the orig tarball won't be included 
> when building by default. I'm not sure about the policy of backporting 
> softwares but I did upload to mentors.d.n with the orig tarball in case we 
> need it. [1]

If in doubt, include the orig tarball (debuild -sa) - it never does any
harm, except for some extra upload size. On mentors.d.n it might make it
a little easier to review a package.

However, only the first upload to a particular archive (apt repository)
needs the orig tarball. Backports are part of the main Debian archive
(as mirrored on http://deb.debian.org/debian and in many other places),
so they should never need the orig tarball, because backports policy
says only the version in testing (or from unstable if there are urgent
security fixes) can be backported, and by definition that version already
has complete source code in the main Debian archive.

The main pain point for inclusion of orig tarballs is the security archive
(http://security.debian.org), which is run separately: so if foo_1.2-3
is in stable, when its first security vulnerability is found, the upload
of foo_1.2-3+deb9u1 to the security archive needs an orig tarball even
though its version number would indicate otherwise (but a second security
fix in foo_1.2-3+deb9u2 would not need the orig tarball, because it was
already part of foo_1.2-3+deb9u1).


Reply to: