Hello Helmut, On Mon 17 Jun 2019 at 06:21pm +0200, Helmut Grohne wrote: > Presently, no. I attempted using it, but I feel that the extra > complexity did not help my use case. dgit solves a difficult problem and > that comes at a cost. Verification of source integrity is much more > difficult to understand with dgit (and it presently seems to have a > trust root in the ca business). The integrity checking performed by > apt-get source on the other hand is quite easily explained (if you > assume gpgv). Then, I'm not interested in commits that are not yet > uploaded. I want to reproduce the exact failure that QA saw. I > occasionally look into history of packages to figure something out. For > this case, dgit is not useful due to its low adoption and being young. > On the other hand, debian/changelog often suffices here. > > So it's not like dgit would be bad. It just seems to solve a different > problem than the one I have. This is good feedback, thank you. Can I ask whether you think it would help if dgit was more verbose about the verification it was doing? Telling you what the ftpmaster API was telling it, or something. The commercial SSL thing is indeed a problem (#790093). For the history thing, after you `dgit clone`, `git fetch vcs-git` will get you the maintainer's history for browsing. That's about as easy as debcheckout. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature