Re: Upstreams with "official" tarballs differing from their git

To: debian-devel@lists.debian.org
Subject: Re: Upstreams with "official" tarballs differing from their git
From: Julien Plissonneau Duquène <sre4ever@free.fr>
Date: Sat, 15 Feb 2025 16:51:21 +0100
Message-id: <[🔎] 1c86ffefaa88c89237fda0fd0a2eb2c2@free.fr>
In-reply-to: <[🔎] fc15af84-f1fb-4bac-a2d2-d6ba20abea7e@archlinux.org>
References: <4335c5610ad698bca78bca889b02657ce42d983f.camel@gmail.com> <e0c551f3-c801-4a7c-9b9c-4765a13bd4b3@debian.org> <57d4e475c330841bb3f740fd9e7a999c82f01c43.camel@gmail.com> <[🔎] e804979f-b064-4977-91ad-f0ca281a20d5@debian.org> <[🔎] fc15af84-f1fb-4bac-a2d2-d6ba20abea7e@archlinux.org>

Hi,

Le 2025-02-15 13:39, kpcyrd a écrit :

Diff between those two:

https://whatsrc.org/diff-right-trimmed/sha256:146d2d673358b7927d9a3c74e22b6b0e7f9a1aee2a4307afbe6ac07f12764130/sha256:599ff98cbab933a8b3640a084b12a5308a20795c192855ee454a8c1c16fa4dac

That divergence is reflected between the official upstream tarballs andthe tarballs that can be downloaded from their GitHub releases page.

There is a similar issue with Gradle where there are official "sourcedistributions" ZIPs [1] (generated by gradle as part of its build) andnot-really-that-much-less-official release tarballs [2] automaticallygenerated by GitHub. The divergence between both is shown at [3].

In the case of Gradle, as the official source ZIPs are lackingdocumentation files that I think are important (e.g. LICENSE) I switchedto using GitHub tarballs, and will probably switch again to use uscan'smode=git as it's simpler to configure and more reliable for largeprojects that release often. That mode could end up being adopted by theJava Team for all projects hosted on GitHub for that reason, and alsobecause it seems easier to convince upstream projects to sign theirrelease tags than to sign their release tarballs. In this specific casehowever I also believe that the upstream project should fix their sourcearchives generation.

In the case of curl, I believe that for Debian using the officialtarball is fine. If I had to use their upstream git repo for Debianpackaging, I would probably write a small custom script that runs theirmaketgz script and can be used in the watch file to regenerateofficial-like "original" tarballs the same way as upstream.


Le 2025-02-15 12:10, Stéphane Glondu a écrit :

My approach to this specific problem would be to add to dune thepossibility to use some configuration file (or environment variables)as input for the substitutions, instead of directly querying the VCS.This configuration could then be set up as part of the Debianpackaging.

I think that this is a reasonable approach that would make the build alot less brittle, and that should be submitted upstream.


Cheers,


[1]: https://services.gradle.org/distributions/
[2]: https://github.com/gradle/gradle/tags

[3]:https://salsa.debian.org/jpd/gradle/-/blob/287ae5c99790f266e242964321955f7c77f397df/debian/wip/delta-ghtar-gradlezip


--
Julien Plissonneau Duquène

Reply to:

References:
- Upstreams with "official" tarballs differing from their git
  - From: Stéphane Glondu <glondu@debian.org>
- Re: Upstreams with "official" tarballs differing from their git
  - From: kpcyrd <kpcyrd@archlinux.org>

Prev by Date: Bug#1096062: ITP: rust-derive-deftly -- Rust macro package for easier "derive"
Next by Date: Re: Upstreams with "official" tarballs differing from their git
Previous by thread: Re: Upstreams with "official" tarballs differing from their git
Next by thread: Re: Upstreams with "official" tarballs differing from their git
Index(es):
- Date
- Thread