[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Conflict between debian/upstream (DEP-12) & debian/upstream/ (uscan)

Hi all,

In devscripts 2.13.3, uscan gained the ability to verify signature of
the upstream tarball using a file debian/upstream-signing-key.pgp.  In
2.14.0, I added the ability to use armored keys and decided to move the
files under debian/upstream/, an idea which had been suggested by a few

This introduced a conflict with DEP-12 (c.f., #736760), which uses
debian/upstream to track metadata about the upstream project.  Tools
like umegaya[0] and Debian Med's task list[1] use the information
provided in this file.

[0]: http://upstream-metadata.debian.net/
[1]: http://blends.debian.org/med/tasks/

Part of the reason I chose to use debian/upstream/ is that an extensible
location for upstream related information (similar in spirit to
debian/source/) could be useful.  I also was unaware of (or had
forgotten about) DEP-12's existing use of debian/upstream, which was
appropriated around 01/2012 as the new name for

This leads to the question of how to move forward from here?

Transitioning to debian/upstream/ would require:

- Choosing a new name for DEP-12's file and updating the wording in
  DEP-12.  My suggestion would be debian/upstream/metadata.

- Updating the data collection code for umegaya and Debian Blends, the
  latter of which has an initial patch[2] based on my suggestion in 1).

- Renaming the file in the VCS repositories for all packages providing
  this information.  This is ~350 packages according to
  ullman:/srv/udd.debian.org/mirrors/machine-readable, which doesn't
  include packages that still haven't transitioned from
  upstream-metadata.yaml.  Note, that this only needs to happen in the
  VCS and not a source upload.

[2]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736760#35

Sticking with the status quo would require:

- Changing uscan to look for debian/upstream-signing-keys.{pgp,asc}

- Updating the ~17 packages that have started using debian/upstream/

While the latter is less work, my preference would be for the former
since it provides a consistent place to look for upstream information
in the context of a Debian source package.  It seems unlikely to me both
that uscan/DEP-12 will be the only projects that will want access to
upstream-related information and that any other information would
necessarily fit into one of those two buckets that they understand.

GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan@debian.org>

Attachment: signature.asc
Description: Digital signature

Reply to: