On Wed, Aug 25, 2021 at 04:35:51PM +0200, Simon Richter wrote: > > I wrote this many times, but I don't see why we should use any "upstream > > tarball" when the Git repository itself contains the tarball with: > > > git archive --prefix=$(DEBPKGNAME)-$(VERSION)/ $(GIT_TAG) \ > > | xz >../$(DEBPKGNAME)_$(VERSION).orig.tar.xz > > "git archive" is reproducible, for simplicity I wouldn't use a prefix > though. For simplicity I *would* use a prefix, purely because that's what github/gitlab uses, so upstream can still choose to additionally sign the distributed tarball if they wish. name=CorsixTH-0.61-beta1 # don't ask me why there's no v, it's just what GitHub does git archive --prefix=$name/ -o ../$name.tar.gz v0.61-beta1 gpg --armor --detach-sign ../$name.tar.gz https://github.com/CorsixTH/CorsixTH/issues/1271#issuecomment-344882419
Attachment:
signature.asc
Description: PGP signature