[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Best VCS layout for our packages?

On 2015-06-17 09:19:56, Joachim Breitner wrote:
> Hi,
> Am Dienstag, den 16.06.2015, 20:39 -0700 schrieb Iustin Pop:
> > In general, I believe that storing upstream code in git is better for reasons
> > beyond packaging ease (e.g. authoritative deltas between upstream
> > orig.tar.gz as they were uploaded in Debian, reproduction of arbitrary
> > past versions, etc.), but I kind of agree that for mass packaging it's
> > better to not do that.
> > 
> > That said, I'd prefer if at least the repository records a checksum of
> > the upstream archive, since I feel this "checkout git signed tags but
> > use unsigned upstream archive from hackage" is not safe enough. Anyway,
> > another discussion.
> yes, this is a drawback of that approach, as also noted by Thomas Koch.
> For tarballs that are already in the archive, the problem is not so big
> (the authoritative file is there, and one cannot accidentally upload
> another), but that does not help until the first version is uploaded.

I believe that even for existing versions, recording the checksum
somewhere in the git repo (potentially on another branch) is helpful, as
it ties together the debian packaging and upstream correspondence in a
single place, rather than having to dig in other places.

But this is really beside Haskell packaging, which is the point under
discussion here :)

> hackage-security will eventually help here, but that does not exist
> yet.



Attachment: signature.asc
Description: Digital signature

Reply to: