On Tue, 2019-10-22 at 16:52 -0700, Russ Allbery wrote:
> That seems excessively pessimistic. What about Git makes you think
> it's impossible to create a reproducible source package?
Has it been done? Given this point has been raised several times
before if it hasn't been done by now I think it's reasonable to assume
it's difficult, and thinking that it's so is not excessively
pessimistic.
I personally wonder how the mirrors are expected to handle .git
repositories. That would increase the number of files they have to
handle by a couple of orders of magnitude. What are the plans for
that? Maybe you think that can handle it? Maybe you plan to abandon
the mirror network in favour of something else like the CDN? Maybe
you plan to remove the source from the mirrors?
Finally, there are more consumers of the source format than the Debian
packagers. For example, I regularly download Debian source packages
just to figure why the hell something isn't working as I expect. When
I do that, there are two things that are important to me:
1. The download is as small as possible, and doesn't require a
specialised tool. (Github and gitlab go to the trouble of
providing just such as thing, which I think is evidence it's
needed.) The current format is pretty good in this area. At
a pinch you can get away without using deb-source to unpack it.
2. The point that has been raised here - reproducible builds of the
source package. By that I mean a reproducible build should be
pure function that is given the upstream source package and some
data in the form of patches or whatever, and ends up with the
source and build instructions. Being a pure function it always
produces the same outputs give the same inputs.
Unfortunately Debian doesn't always do a good job of this
currently, albeit for good reasons - we can't distribute the
upstream source package so DD's rebuild it, but they are allowed
to do so in any way they please.
Any source format that handled the issues above would get the thumbs up
from me. (Interestingly despite the hairs it has in other areas the
rpm source format have always done well on those issues.)
Unfortunately Bastian's proposal doesn't address them directly.
Attachment:
signature.asc
Description: This is a digitally signed message part