[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Improvements to ‘debian/watch’ for fetching from VCS

(Why was Manoj's message also sent individually to me?)

On 07-Apr-2009, Manoj Srivastava wrote:
>         If the current version is what we are interested, why not
>         get it from the canonical site, the Debian archive?

The Debian archive is *not* the canonical location for the upstream's
original source. The upstream's repository (whether VCS or static
files or whatever they make available) is the canonical location.
Debian's archive might be more consistent and convenient, but it's an
intermediary source for most packages, *not* canonical.

>         I am not seeing the sue case for not getting the sources
>         distributed by Debian from Debian. People who do not trust
>         the Debian archive, ought not to trust the Debian script,
>         and go get the upstream using a trusted download agent on
>         their own; so security is not the use case.

Trust isn't binary. One use case is to confirm what re-packing of an
original source archive has been done. Another is to verify whether
perhaps *upstream* has fiddled with the original source archive since
Debian packaged it. Yet another is to get an original source archive
that hasn't yet made it into Debian's archive.

>         By far the most common use case I can see is to get the
>         latest upstream, and do whatver munging needs to be done to
>         make it acceptable for Debian as a source archive.
>         What am I missing?

It's not at all unusual for me to *not* want to get the latest version
precisely because I'm not ready to package that version, or because it
is worse (FSVO worse) than the version specified in

 \       “Science shows that belief in God is not only obsolete. It is |
  `\                        also incoherent.” —Victor J. Stenger, 2001 |
_o__)                                                                  |
Ben Finney <ben@benfinney.id.au>

Reply to: