Re: Survey: git packaging practices / repository format
- To: debian-devel@lists.debian.org
- Subject: Re: Survey: git packaging practices / repository format
- From: "Enrico Weigelt, metux IT consult" <lkml@metux.net>
- Date: Mon, 1 Jul 2019 15:04:26 +0200
- Message-id: <[🔎] 9dd5f501-5c58-03e4-a1d3-4b849b5d8ee6@metux.net>
- In-reply-to: <20190529154139.GF7793@belkar.wrar.name>
- References: <23789.22766.778482.983490@chiark.greenend.org.uk> <20190528173136.GB17513@espresso.pseudorandom.co.uk> <23789.38946.363651.512533@chiark.greenend.org.uk> <20190528233922.GA3018@espresso.pseudorandom.co.uk> <259caba1ffb5ad20680acb59e2765b8f6d15b10f.camel@decadent.org.uk> <20190529154139.GF7793@belkar.wrar.name>
On 29.05.19 17:41, Andrey Rahmatullin wrote:
>> Perhaps we should update policy to say that the .orig tarball may (or
>> even "should") be generated from an upstream release tag where
>> applicable.
> This conflicts with shipping tarball signatures.
Does that really need to be the upstream's tarballs ?
Why not just automatically generating the orig tarballs and fingerprint
*them* (not caring about the upstream's tarball at all) ?
If it's about validating the source integrity all along the path from
from upstream to deb-src repo, we could do that by auditable process
(eg. fully automatic, easily reproducable transformations)
--mtx
--
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@metux.net -- +49-151-27565287
Reply to: