[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

tag2upload's support of pristine-tar missing and potential regression in upstream signature verification (Re: Include git commit id and git tree id in *.changes files when uploading?)

Hi Sean!

> > Has somebody else already been thinking about the same? Do others see
> > value in this?
>
> As has been pointed out, tag2upload adds fields for exactly this
> purpose.  But as you said in another message, we might want to think
> about adding fields like you propose for non-tag2upload uploads.
>
> I think it would be most fruitful for you to wait a little while.  I'm
> saying this because the tag2upload beta is ending very soon.  We have
> stopped receiving bug reports that make us think "we have to fix this
> before we can end the beta".  We are just finishing up three remaining
> issues.[1]
>
> When tag2upload leaves beta, a lot of maintainers will switch over to it
> for their uploads, so a lot of uploads will gain the metadata you want.

Good to hear you consider tag2upload soon ready for Debian-wide use.
What is the plan of supporting pristine-tar and uploading upstream
orig.tar.gz file unmodified?

The issue https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106071#40
seems to have ended in only a documentation update in
https://salsa.debian.org/dgit-team/dgit/-/merge_requests/264

It would be a pity if we lose the ability to verify detached OpenPGP
signatures for the upstreams that do publish both orig.tar.gz and
orig.tar.gz.asc. Currently the ability to cryptographically verify
authenticity of the upstream sources in a single operation for a lot
of packages significantly decreases the amount of files that have to
be diffed when auditing what was modified in Debian vs. original
upstream.

I know your end goal is to stop using tarballs completely and just
import git commits directly from upstream, but I think we still need
to retain real original .orig.tar.gz tarballs for a some years more
until 100% of upstreams use git and 100% of Debian packaging git
repositories have the debian/latest branch on top of a real upstream
release branch so Debian changes can be diffed in relation to upstream
release commits.

Having everyone use tag2upload obviously helps ensure that what was
uploaded, and what is in git, stays in sync. The metadata allows to
check the chain between the Debian archive and the Debian packaging
git repo, but we should not make it harder to check the link between
Debian and upstream in the process by obsoleting upstream orig.tar.gz
in the process.

Thanks,

Otto
Reply to: