Hello, On Fri 19 Dec 2025 at 09:59am -08, Otto Kekäläinen wrote: > Hi Sean! > >> > Has somebody else already been thinking about the same? Do others see >> > value in this? >> >> As has been pointed out, tag2upload adds fields for exactly this >> purpose. But as you said in another message, we might want to think >> about adding fields like you propose for non-tag2upload uploads. >> >> I think it would be most fruitful for you to wait a little while. I'm >> saying this because the tag2upload beta is ending very soon. We have >> stopped receiving bug reports that make us think "we have to fix this >> before we can end the beta". We are just finishing up three remaining >> issues.[1] >> >> When tag2upload leaves beta, a lot of maintainers will switch over to it >> for their uploads, so a lot of uploads will gain the metadata you want. > > Good to hear you consider tag2upload soon ready for Debian-wide use. > What is the plan of supporting pristine-tar and uploading upstream > orig.tar.gz file unmodified? > > The issue https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106071#40 > seems to have ended in only a documentation update in > https://salsa.debian.org/dgit-team/dgit/-/merge_requests/264 > > It would be a pity if we lose the ability to verify detached OpenPGP > signatures for the upstreams that do publish both orig.tar.gz and > orig.tar.gz.asc. Currently the ability to cryptographically verify > authenticity of the upstream sources in a single operation for a lot > of packages significantly decreases the amount of files that have to > be diffed when auditing what was modified in Debian vs. original > upstream. > > I know your end goal is to stop using tarballs completely and just > import git commits directly from upstream, but I think we still need > to retain real original .orig.tar.gz tarballs for a some years more > until 100% of upstreams use git and 100% of Debian packaging git > repositories have the debian/latest branch on top of a real upstream > release branch so Debian changes can be diffed in relation to upstream > release commits. > > Having everyone use tag2upload obviously helps ensure that what was > uploaded, and what is in git, stays in sync. The metadata allows to > check the chain between the Debian archive and the Debian packaging > git repo, but we should not make it harder to check the link between > Debian and upstream in the process by obsoleting upstream orig.tar.gz > in the process. People should either stop using pristine-tar, and make use of the end-to-end trust path from upstream git tags to the archive that is provided by tag2upload, or someone should do the work to fix #1106071. It's all scoped out and ready. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature