Re: Include git commit id and git tree id in *.changes files when uploading?

[Santiago Vila <sanvila@debian.org>]

On Mon, Dec 15, 2025 at 08:26:51PM -0800, Otto Kekäläinen wrote:

> In *.changes files we already have the Vcs-Git line as metadata
> showing where the packaging sources are maintained with an exact URL
> and a `-b <branch>` identified if the upload was not from the default
> branch.
> 
> To be better able to audit the software supply-chain I have been
> thinking that we should have more git info in the changes file, namely
> the git commit id it was generated from, and just in case also the git
> tree id as well.

Your proposal would prevent lost git histories to be reconstructed
and wrong git histories to be fixed.

A very recent example: I've added the last commit here right now:

https://salsa.debian.org/debian/gross/-/commits/master?ref_type=HEADS

Did the author used git to create the upload? Yes, I think so. Should
I have asked the author to push the missing changes? Well, maybe he
has them, but maybe he has not after several months have passed.

In this case the only missing change was absolutely tiny, so the
straightforward way to handle this is to just complete the missing
history when you see it.

So, before implementing your idea or even thinking about it, I'd like
to see a greater effort in keeping the archive and the git histories
in sync project-wide.

Thanks.