Re: Bug#466550: Pristine source from upstream VCS repository

[Manoj Srivastava <srivasta@debian.org>]

On Sun, Mar 15 2009, Steve Langasek wrote:

> On Sun, Mar 15, 2009 at 06:48:11PM -0500, Manoj Srivastava wrote:
>> On Thu, Mar 12 2009, Russ Allbery wrote:
>
>>         Given that we already have a tool that can download upstream
>>  sources, with or without mangling, and can be used by facilities
>>  outside of the unpacked Debian source package to determine if there was
>>  new versions and to download unmangled versions, is there any need to
>>  retain the get-orig-source target at all?
>
> I have get-orig-source targets that verify the upstream detached gpg
> signatures before repacking the tarballs.  Is there a way to do that with
> uscan?

        There is no limit on what your user specified script can
 do. Given a version number, you can still download the hash and test
 it. No sweat.

>> I mean, this seldom implemented target is duplicating an existing and
>> widely used facility in Debian; and removing the target from the policy
>> will advance the laudable goal of stripping the policy of cruft.
>
> Well, I doubt more people are using uscan mangling than are using
> get-orig-source, really; so I don't think that facility is "widely used".


        There are far many more watch files in packages than there are
 get-orig-source targets in rules files, so yes, uscan is far more
 widely used. As I said elsewhere in this thread, mangling is not widely
 enough automated to say anything one way or the other about practices
 followed. 

> But that's not an argument against dropping get-orig-source from policy,
> either, if we think there's something better.

        I am still open to discussion of that. I do not have any
 packages anymore that are not now served by uscan -- apart from the
 cases where the is no upstream tarball at all.

> If get-orig-source is going to be dropped from policy, I think there
> should be some replacement language encouraging the use of uscan with
> support for any necessary mangling.

        The one case that is not supported is the equivalent of

--8<---------------cut here---------------start------------->8---
 repo=$(egrep '^VCS-Git: ' debian/control | perl -pli -e 's/^VCS-Git: +//i')
 git clone --depth 10 $repo  <pkg>-<ver>
 tar -zcf <pkg>_<uver>.orig.tar.gz --exclude .gitmodules --exclude-vcs \
    <pkg>-<ver>
--8<---------------cut here---------------end--------------->8---

        I agree that uscan is not meant to do things like that for
 various VCS', and one  where getting a specific version from the repo
 could be useful, and might need to be setup by the human packaging
 things.

        I would not be against a recommendation in policy to implement
 direct-from-vcs  upstream tarballs to be created vbia get-orig-source,
 and everyone else just use debian/watch and debian/urepack files.

        This will give get-orig-source a purpose, and one that is not
 met already by tools we all use anyway.

        manoj
-- 
There's no use in having a dog and doing your own barking.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C