Re: Include git commit id and git tree id in *.changes files when uploading?
On Thu, Dec 18, 2025 at 10:26:48AM -0600, Gunnar Wolf wrote:
> Hello Adrian,
Hi Gunnar,
> Adrian Bunk dijo [Thu, Dec 18, 2025 at 10:56:42AM +0200]:
> > > > tag2upload and dgit already do this.
> > > ...
> > > Are you aware of any attempts to integrate this into dpkg-buildpackage
> > > toolchain so systems that build .deb packages can have that metadata
> > > field universally and not just via official Debian uploads via
> > > tag2upload?
> >
> > If you want to actually be able to use that for audit purposes, you
> > might not want to work with the maintainer-specific mess that Salsa is.
> >
> > Only debian/ or complete sources?
> > debian/patches/ or patches applied?
> > One git repository per package, or 1k packages in one git repository?
> > The contents of a git tag/commit does sometimes not match the
> > contents of the package in the archive with the matching version.
> > And a git repository might disappear, or the commit might disappear,
> > or the commit was never pushed anywhere.
>
> The points you mention are all valid. However, I support Otto's idea here —
> Git repoistories might disappear, or their history might be rewritten. It
> _most often_, however, does not happen — sharing the specific commit from
> which a given tree was built costs us _very_ little, and can provide
> important information for many use cases.
>...
the "To be better able to audit the software supply-chain" is the part
I disagreed with, not the part about recording some piece of metadata
somewhere that might sometimes be useful to someone.
> – Gunnar.
cu
Adrian
Reply to: