Am 16.08.2014 18:20, schrieb Russ Allbery: > Thomas Goirand <zigo@debian.org> writes: >> On 08/16/2014 07:05 AM, Jeremy Stanley wrote: > >>> However upstream may build tarballs through a (hopefully >>> repeatable/automated) process at release time, publish checksums and >>> signatures for them, et cetera and prefer packagers use those as the >>> original tarballs for official release versions. > >> And then? If I prefer to use their git repository, and create my own >> orig.tar.xz out of a signed git tag, what is the problem, as long as I >> use the tag they provided by upstream? > > Suppose someone wants to check (possibly as part of a forensic > investigation) that the source in Debian matches the source released and > signed by upstream. If you reuse the upstream tarball, the signature is > valid, so this is as simple as verifying the Debian *.orig.tar.xz file > against the upstream signature or a checksum of a good copy of the > upstream source. If you regenerate the tarball, those checksums are no > longer valid, and now someone has to unpack both tarballs and compare all > of the files (and, depending on what they're checking, permissions and > other metadata) individually. More importantly (at least in my experience): If you are working in a team and you regenerate the tarball from git, it's very likely that the md5sum of the generated tarball differs from what has been uploaded to the archive by a different team maintainer in a previous upload, resulting in a reject by dak. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
Attachment:
signature.asc
Description: OpenPGP digital signature