On Tue, 2019-10-22 at 16:52 -0700, Russ Allbery wrote: > That seems excessively pessimistic. What about Git makes you think > it's impossible to create a reproducible source package? Has it been done? Given this point has been raised several times before if it hasn't been done by now I think it's reasonable to assume it's difficult, and thinking that it's so is not excessively pessimistic. I personally wonder how the mirrors are expected to handle .git repositories. That would increase the number of files they have to handle by a couple of orders of magnitude. What are the plans for that? Maybe you think that can handle it? Maybe you plan to abandon the mirror network in favour of something else like the CDN? Maybe you plan to remove the source from the mirrors? Finally, there are more consumers of the source format than the Debian packagers. For example, I regularly download Debian source packages just to figure why the hell something isn't working as I expect. When I do that, there are two things that are important to me: 1. The download is as small as possible, and doesn't require a specialised tool. (Github and gitlab go to the trouble of providing just such as thing, which I think is evidence it's needed.) The current format is pretty good in this area. At a pinch you can get away without using deb-source to unpack it. 2. The point that has been raised here - reproducible builds of the source package. By that I mean a reproducible build should be pure function that is given the upstream source package and some data in the form of patches or whatever, and ends up with the source and build instructions. Being a pure function it always produces the same outputs give the same inputs. Unfortunately Debian doesn't always do a good job of this currently, albeit for good reasons - we can't distribute the upstream source package so DD's rebuild it, but they are allowed to do so in any way they please. Any source format that handled the issues above would get the thumbs up from me. (Interestingly despite the hairs it has in other areas the rpm source format have always done well on those issues.) Unfortunately Bastian's proposal doesn't address them directly.
Description: This is a digitally signed message part