Re: Git packaging workflow discussion on planet.d.o

[Russ Allbery <rra@debian.org>]

Thomas Goirand <zigo@debian.org> writes:
> On 04/05/2013 12:38 AM, Russ Allbery wrote:

>> Using git archive to generate a tarball from upstream is something that
>> I do in some cases as well.  It all depends on upstream's release
>> process.  I default to using released tarballs if they exist and are
>> useful, but I fall back to git archive when they're not.

> Opposite way for me. If there are (signed) tags, I use them first.

Signed tags are on a different axis, not mutually exclusive with tarballs.
My normal practice as discussed up-thread is to use both the signed tag
and the tarball.

> Upstream tarballs are most of the time compressed with gzip, which is
> lame. They aren't PGP signed like a git tag may be.

In my experience, upstreams that sign their git tags generally sign their
tarballs too.  YMMV.

>> This means that the tarball Debian uses doesn't match upstream, which
>> is a drawback

> Why? I think that we're hitting the fetishism that Joey was talking
> about in his blog post ... ;)

Because not everyone has Git or wants to figure out how to verify that we
really did base the packaging on the signed tag (which isn't as trivial as
checking the checksums of the *.orig.tar.gz file).  Since the Debian
archive needs the tarballs *anyway*, the small amount of additional work
required to use the upstream release tarballs so that we're obviously
consistent seems worth it.

If we ever had an archive process that didn't require *.orig.tar.gz files,
I would reconsider.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>