[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Best VCS layout for our packages?


Am Dienstag, den 16.06.2015, 20:39 -0700 schrieb Iustin Pop:
> In general, I believe that storing upstream code in git is better for reasons
> beyond packaging ease (e.g. authoritative deltas between upstream
> orig.tar.gz as they were uploaded in Debian, reproduction of arbitrary
> past versions, etc.), but I kind of agree that for mass packaging it's
> better to not do that.
> That said, I'd prefer if at least the repository records a checksum of
> the upstream archive, since I feel this "checkout git signed tags but
> use unsigned upstream archive from hackage" is not safe enough. Anyway,
> another discussion.

yes, this is a drawback of that approach, as also noted by Thomas Koch.
For tarballs that are already in the archive, the problem is not so big
(the authoritative file is there, and one cannot accidentally upload
another), but that does not help until the first version is uploaded.
hackage-security will eventually help here, but that does not exist

Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: F0FBF51F
  JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: