On Wed, Aug 25, 2021 at 04:35:51PM +0200, Simon Richter wrote:
> > I wrote this many times, but I don't see why we should use any "upstream
> > tarball" when the Git repository itself contains the tarball with:
>
> > git archive --prefix=$(DEBPKGNAME)-$(VERSION)/ $(GIT_TAG) \
> > | xz >../$(DEBPKGNAME)_$(VERSION).orig.tar.xz
>
> "git archive" is reproducible, for simplicity I wouldn't use a prefix
> though.
For simplicity I *would* use a prefix, purely because that's what
github/gitlab uses, so upstream can still choose to additionally sign
the distributed tarball if they wish.
name=CorsixTH-0.61-beta1 # don't ask me why there's no v, it's just what GitHub does
git archive --prefix=$name/ -o ../$name.tar.gz v0.61-beta1
gpg --armor --detach-sign ../$name.tar.gz
https://github.com/CorsixTH/CorsixTH/issues/1271#issuecomment-344882419
Attachment:
signature.asc
Description: PGP signature