Scripsit Richard Atterer <firstname.lastname@example.org>
> As the sponsor, you should rebuild the package from source using
> the diff from the packager, and using the upstream sources, not the sources
> provided by the packager. See this page:
I think that section may be phrased a little too harshly. It seems to
be based on an assumption that a sponsoree is necessarily less
trustworthy than a random upstream author.
It is of course true that as part of the normal quality check one does
as part of a sponsored upload, one should check that the .orig.tar.gz
does not contain spurious changes. But the idea that a sponsor should
expect only a .diff.gz from the sponsoree is unsound - you would be
less sure that the upstream source you use is the same as the one the
sponsoree created his diff against.
Ideally a sponsoree should be produce a full Debian source package.
The sponsor checks it (including a sanity check of the .orig.tar.gz
in case of a new upstream version), removes the sponsoree's signature
on the .dsc and adds his own, builds a binary package, and uploads.
In practice it is acceptable for the sponsor to recompute the .diff.gz
and .dsc using dpkg-buildpackage (which in any case ought to produce
identical files). But I think the sponsoree should provide a .dsc
nevertheless, if only to document the checksum of the .orig.tar.gz he
used for packaging.
Henning Makholm "What a hideous colour khaki is."