Re: This topic died off; any resolution?

To: debian-devel@lists.debian.org
Subject: Re: This topic died off; any resolution?
From: Manoj Srivastava <srivasta@debian.org>
Date: Fri, 27 Mar 2009 23:43:21 -0500
Message-id: <[🔎] 878wmq8dg6.fsf@anzu.internal.golden-gryphon.com>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 878wmtc7vq.fsf@windlord.stanford.edu> (Russ Allbery's message of "Wed, 25 Mar 2009 19:53:13 -0700")
References: <[🔎] 20090325190038.2caa43e9@brennin.fionavar.dd> <[🔎] 878wmtc7vq.fsf@windlord.stanford.edu>

On Wed, Mar 25 2009, Russ Allbery wrote:

> That still leaves open the question of what get-orig-source should do with
> a package that can't use uscan (unversioned upstream files, multiple
> upstream tarballs, upstream that uses only a VCS, etc.).  Currently,
> Policy says that it should download and create a tarball of the most
> current upstream sources.  I think that makes sense, but it's harder than
> doing the most recent blessed sources and might break a lot.  It also
> leaves one without an easy way of duplicating exactly the tarball that was
> uploaded with the Debian package.

        Well, getting the tarball uploaded with the debian package is
 generally easy: you ask debian archives for it. Getting the latest
 upstream tarball, espescially if it needs modification, in cases where
 a simple uscan command won't cut the mustard, has no easy solution for
 an enduser.

        Now, an end user wanting to get a tarball that shipped with
 debian, and one who does not trust the debian arvhive, but trusts their
 copy of the debian source package, and thus the debian maintainer ---
 err, this is a vanishlingly small audience. I mean, you trust the
 debian source package, and the maintainer, to have prvded you a recipe
 to reproduce the tarball that has been uploaded to the debian archives,
 and yet you do not trust the debian archive ... weird.

        I think there would be more people who just want to update their
 debian package with the latest upstream sources, and want to know how
 to do whatever the debian maintainr does to convert stuff from upstream
 to the debian orig.tar.gz file -- and there is no easy workaround like
 apt-get source for this use case.

        A special rule in debian/rules to duplicate apt-get source for
 people who are skeptical of thea rchive (and have an ill defined
 attack vector thay are being paranoid about) -- or to provide
 functionality that apt-get source is not a duplicate for?

        For me, this is a no brainere. Ohter people's mileage has
 evidently varied.

        manoj
-- 
If at first you don't succeed, redefine success.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: This topic died off; any resolution?
  - From: Reinhard Tartler <siretart@debian.org>

References:
- This topic died off; any resolution?
  - From: Daniel Dickinson <cshore@brucetelecom.com>
- Re: This topic died off; any resolution?
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Proposed hook to tag bugs as pending
Next by Date: Bug#521527: ITP: ttf-sawarabi-mincho -- Japanese mincho font, made from scratch
Previous by thread: Re: Bug#466550: Clarify or remove the get-orig-source target specification
Next by thread: Re: This topic died off; any resolution?
Index(es):
- Date
- Thread