Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language

To: Andrea Pappacoda <andrea@pappacoda.it>
Cc: Daniel Swarbrick <daniel.swarbrick@gmail.com>, debian-go@lists.debian.org
Subject: Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
From: Otto Kekäläinen <otto@debian.org>
Date: Fri, 22 Aug 2025 12:45:54 -0700
Message-id: <[🔎] CAOU6tAB4m5cWq-+hkH6MWUti9_a0W6VkE3ucOe6pbYiA9SWk4Q@mail.gmail.com>
In-reply-to: <[🔎] DC96QRPFJA88.310QZUVVZ8IID@pappacoda.it>
References: <[🔎] 55c3b199890fa7fe386a211bb34e9526@gmail.com> <be7839f780f26cfc16340354e0b1a158b47edc4f.camel@debian.org> <[🔎] CAGc9RJp1P35ODaszCMSSiQLuq1U1SzAGZw0oWMsBriAZxss_fQ@mail.gmail.com> <[🔎] 874iu8ctzb.fsf@josefsson.org> <[🔎] dbfbcdf057066924dd05f8c4f189d5385998194f.camel@debian.org> <[🔎] CAGc9RJqY4ieRAnuq6RjjVK0hf=V=GBqhjPbrUrPcbziLqvtxNA@mail.gmail.com> <[🔎] a44a3929a2eab3ba72ece9aa420a742b0780ef1d.camel@debian.org> <[🔎] CAGc9RJq6hqqXKYo3AtfXM+NKU=C0=bv=bp_XajGX78UWuDBRiQ@mail.gmail.com> <[🔎] 67c263c1-a5fc-4f3a-9dd4-fec78a53c3f6@gmail.com> <[🔎] CAOU6tABmHsf4sZiJWNtsJVj8Jy3bc35=XdRPeZY8shnrPU0vDQ@mail.gmail.com> <[🔎] DC96QRPFJA88.310QZUVVZ8IID@pappacoda.it>

> > I think we should have *both* upstream git history and pristine-tar to
> > ensure the tarball has the same shasum no matter who produces it. It
> > happens automatically if you have these lines in gbp.conf:
>
> What's the point of checking the tarball checksum? I mean, of course it
> has value when done by itself. But does it still have value when the
> tarball is just a temporary artifact generated by an audited Git
> history?

Uploads to the Debian archive, and what is stored in the Debian
archive is still tarballs. Same applies for Ubuntu, and various
tooling we have around uploads. Running dput to ftp-master, security,
mentors, Launchpad etc will push tarballs and those checksums better
match or uploads get rejected or the archive ends up having two
versions of the same upstream tarball with different checksums.

I use pristine-tar in all my packages, but occasionally on some
packages I don't or somebody else does not and for example I got this
in April on a Launchpad upload:

> Rejected:
> File usql_0.19.19.orig.tar.gz already exists in PPA for Otto Kekäläinen, but uploaded version has different contents. See more information about this error in https://help.launchpad.net/Packaging/UploadErrors.
> Files specified in DSC are broken or missing, skipping package unpack verification.
> usql (0.19.19-1~bpo25.04.1~1744533524.754fef8+import.0.19.19) plucky; urgency=medium


> Also, by not having to work with tarballs, you not only stop needing the
> pristine-tar branch, but you also no longer need the upstream/latest
> branch. Why? Because you're not actually building the upstream branch
> yourself via gbp imports, but you're just branching off upstream tags
> (which still carry commit history, of course). This means that in Salsa,
> you can finally just store one single branch!

This is true. But it includes a very large assumption that all
upstreams use git and all imports can be based on git tags. Even for
upstreams that use git, some of them still publish tarballs that have
for example documentation added that is from a separate repository, or
large binary test files removed as the project does not intend to ship
them to end users. For the time being, a tarball with files is the
only common denominator across all upstream software.

By using both of these..
pristine-tar = True
upstream-vcs-tag = v%(version%~%-)s
...we get a nice audit trail that allows us to see if an upstream has
custom tarball contents, and how those exactly differ from what was in
git. This can be used to scan for how many upstreams have custom
tarball contents which can help a long-term drive to get upstreams to
have signed git tags as their official announcement method.

Reply to:

Follow-Ups:
- Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
  - From: "Andrea Pappacoda" <andrea@pappacoda.it>

References:
- Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
  - From: "Arthur Diniz" <arthurbdiniz@gmail.com>
- Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
  - From: Arthur Diniz <arthurbdiniz@gmail.com>
- Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
  - From: Mathias Gibbens <gibmat@debian.org>
- Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
  - From: Arthur Diniz <arthurbdiniz@gmail.com>
- Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
  - From: Mathias Gibbens <gibmat@debian.org>
- Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
  - From: Arthur Diniz <arthurbdiniz@gmail.com>
- Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
  - From: Daniel Swarbrick <daniel.swarbrick@gmail.com>
- Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
  - From: Otto Kekäläinen <otto@debian.org>
- Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
  - From: "Andrea Pappacoda" <andrea@pappacoda.it>

Prev by Date: Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
Next by Date: Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
Previous by thread: Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
Next by thread: Re: Bug#1111127: ITP: golang-go.yaml-yaml-v3 -- YAML Support for the Go Language
Index(es):
- Date
- Thread