Re: Potential MBF: packages failing to build twice in a row
Hi Wookey,
On Wed, Aug 09, 2023 at 02:30:43PM +0100, Wookey wrote:
> I have never tried Helmut's suggestion of removing this stuff in the
> clean target. It does seem to me that removing it from the tarball
> makes a lot more sense than cleaning it later.
I do see all the advantages of repacking that you and Simon presented.
We don't have to argue about them. Simon also pointed at a severe
limitation though: When repacking, the upstream signature becomes
useless and external parties can no longer verify it at ease. Including
that upstream signature increases trust in the source shipped by Debian
being good.
For cases where we repack anyway (e.g. for licensing reasons), we have
broad consensus that we should also delete generated files at the
repacking stage. I also see a shift here where we may recommend
repacking just for deleting unused files in the absence of an upstream
signature. The arguments are convincing to me.
Does anyone see a way to enable upstream signature verification with
repacked sources? This seems technically incompatible: In order to
verify the signature, we really have to ship the original tar and thus
get into the licensing mess. So the best we might do here is point at
the original tar and signature (hoping that it does not go away) and
providing a tool that verifies the signature and establishes that the
repacked source really corresponds to the verified tar. Is anyone aware
of such tooling?
In the absence of such tooling, I continue to see clean-before-build as
a valid strategy for dealing with generated files and vendored sources.
Helmut
Reply to: