Hi, On 8/18/21 5:04 AM, Paul Wise wrote:
This is also an additional burden on package maintainers: explaining how they arrived at that particular "upstream" package in a reproducible way
Debian explaining how we arrived at a particular orig.tar.gz is well established; use a debian/watch file. It supports accessing git repositories directly.
Yes, but it needs to be explained on a per-package basis, especially if there is an upstream .tar.gz. Debian has historically shipped bitwise identical files from upstream, and has been lauded for that as it makes verification easy.
and why what we ship as "orig" is different from upstream, and what the copyright and licensing situation for that derived work is.
I see it another way, the upstream packages/tarballs are usually a derived work of their VCS, adding cruft that should not be there and removing files that should be there.
I am talking from a legal point of view. We would be creating a derived work from upstream VCS that is different than the official upstream release, and then claim this to be the "original" source.
There is a reason we highlight removal of files for licensing reasons in the file name with a large "dfsg" marker: to indicate that this is a derived work. If we were to prefer upstream VCS to upstream release tarballs, I'd expect a similar marker.
Simon
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature