Recording VCS information in the source package info
We have the Vcs-* fields in debian/control now that allow you to find
the Vcs for the package you are looking at, and this is very useful. I
think there is room to extend this a little further using automated
tools to record information about which revision was built as well.
This could be useful for people and automated tools to checkout the code
at that revision (so debcheckout could be extended to optionally put you
on the revision that was used in the branch it checks out). I am
interested more for a kind of audit purpose though. It's possible for
the Vcs-* field to point to anything, that may have nothing to do with
the code that was used to build that version, and it may even have a tag
in it claiming that it built version N when it in fact did not. Making
the links more reliable reduces the chance of confusion when this sort
of thing happens, and allows for more automated things to be done.
I would therefore propose two new fields that would be optional in a
.dsc file, and possibly the Sources file, but not debian/control as they
are derived data. They would be:
* Vcs-*-revision: A string meaningful to the Vcs that was used that
refers to the revision that the package was built from.
* Vcs-*-tree: Some sort of hash of the tree contents that were built,
as it's possible that the contents were modified from the contents
of the revision that was checked out. This could either be a
Vcs-native thing, or some sort of abstracted hash, I'm not sure.
I'm not sure what the best way to access this information when building
the package is, you would be able to state that better than me.