[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Improvements to ‘debian/watch’ for fetching from VCS

On Tue, Apr 07 2009, Ben Finney wrote:

> (Why was Manoj's message also sent individually to me?)
>
> On 07-Apr-2009, Manoj Srivastava wrote:
>>         If the current version is what we are interested, why not
>>         get it from the canonical site, the Debian archive?
>
> The Debian archive is *not* the canonical location for the upstream's
> original source. The upstream's repository (whether VCS or static
> files or whatever they make available) is the canonical location.
> Debian's archive might be more consistent and convenient, but it's an
> intermediary source for most packages, *not* canonical.

        As far as Debian is concerned, it is: this is the orig.tar.gz
 that the diff.gz needs to be applied to in order to get the
 Debian package in the archive.

        Whatever is upstream may or may not produce the package we have
 (it could have been corrupted, updated, or whatever). 

>
>>         I am not seeing the sue case for not getting the sources
>>         distributed by Debian from Debian. People who do not trust
>>         the Debian archive, ought not to trust the Debian script,
>>         and go get the upstream using a trusted download agent on
>>         their own; so security is not the use case.
>
> Trust isn't binary. One use case is to confirm what re-packing of an
> original source archive has been done. Another is to verify whether
> perhaps *upstream* has fiddled with the original source archive since
> Debian packaged it. Yet another is to get an original source archive
> that hasn't yet made it into Debian's archive.

        Most of htese checks, while laudable, ought not to bload either
 uscan, or debian/rules, since these are far off topic, in my opinion. 


>>         By far the most common use case I can see is to get the
>>         latest upstream, and do whatver munging needs to be done to
>>         make it acceptable for Debian as a source archive.
>>
>>         What am I missing?
>
> It's not at all unusual for me to *not* want to get the latest version
> precisely because I'm not ready to package that version, or because it
> is worse (FSVO worse) than the version specified in
> ‘debian/changelog’.

        I think that is usually an uncommon  case. And we ought to be
 coding to the common case, while not making the uncommon cases impossible.

        manoj
-- 
Ours is a world of nuclear giants and ethical infants. General Omar
N. Bradley
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
Reply to: