Re: Git Packaging: Native source formats
On Fri, Aug 30, 2019 at 12:29:45AM +0200, Thomas Goirand wrote:
>
> Pristine-tar forces you to have multiple branches when you may only need
> a single one. It's also not reliable and may easily generate different
> tarballs for the same tag, which defeats its purpose (and no, the
> workaround to remove all timestamps and order files isn't acceptable).
Huh? When does pristine-tar be unreliable? At least in my
experience, I can store both the GPG signature and upstream tar file
using pristine tar, and it's never failed to reproduce the exact tar
file such that the GPG signature verifies.
I'm not even sure what you mean by "remove all timestamps and order
files". The whole point of pristine tar is that you don't have to do
that, and you can preserve the exact binary that was uploaded, and
signed, by the upstream.
> Not only that. If upstream uses git, then I just fetch from it, and use
> the upstream tag as reference to run "git archive", which does the job
> very well.
But not all upstreams use git...
> Now, you're talking about upstream using bzr or hg. These are the very
> few minority (and counting...). We may as well get rid of hg and bzr in
> Debian if it doesn't get fixed so it uses Python 3 only... (well, I
> guess someone will wake up and do the work, so this argument doesn't
> count...).
And if even if they do use git, they may not use signed tags. Some of
them also do post-processing to generate the tar.gz file which gets
distributed. (Example: util-linux). Hence, using "git archive" isn't
a substitute.
I'm arguing that we need to have a sane soluion for those upstreams
that don't use git, or who use git but who don't use signed tags, or
who do post-processing to generate the tar file. Hopefully you're not
arguing that we should just summarily eject any packages from Debian
which don't use git, and refuse to package any package which isn't
compatible with our new git packaging philosophy?
- Ted
Reply to: