[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Sponsoring procedures

Scripsit Richard Atterer <richard@2005.atterer.net>

> As the sponsor, you should rebuild the package from source using
> the diff from the packager, and using the upstream sources, not the sources
> provided by the packager. See this page:
> http://www.debian.org/doc/developers-reference/ch-beyond-pkging.en.html#s-sponsoring

I think that section may be phrased a little too harshly. It seems to
be based on an assumption that a sponsoree is necessarily less
trustworthy than a random upstream author.

It is of course true that as part of the normal quality check one does
as part of a sponsored upload, one should check that the .orig.tar.gz
does not contain spurious changes. But the idea that a sponsor should
expect only a .diff.gz from the sponsoree is unsound - you would be
less sure that the upstream source you use is the same as the one the
sponsoree created his diff against.

Ideally a sponsoree should be produce a full Debian source package.
The sponsor checks it (including a sanity check of the .orig.tar.gz
in case of a new upstream version), removes the sponsoree's signature
on the .dsc and adds his own, builds a binary package, and uploads.

In practice it is acceptable for the sponsor to recompute the .diff.gz
and .dsc using dpkg-buildpackage (which in any case ought to produce
identical files). But I think the sponsoree should provide a .dsc
nevertheless, if only to document the checksum of the .orig.tar.gz he
used for packaging.

Henning Makholm                            "What a hideous colour khaki is."

Reply to: