On 2015-06-17 09:19:56, Joachim Breitner wrote: > Hi, > > Am Dienstag, den 16.06.2015, 20:39 -0700 schrieb Iustin Pop: > > In general, I believe that storing upstream code in git is better for reasons > > beyond packaging ease (e.g. authoritative deltas between upstream > > orig.tar.gz as they were uploaded in Debian, reproduction of arbitrary > > past versions, etc.), but I kind of agree that for mass packaging it's > > better to not do that. > > > > That said, I'd prefer if at least the repository records a checksum of > > the upstream archive, since I feel this "checkout git signed tags but > > use unsigned upstream archive from hackage" is not safe enough. Anyway, > > another discussion. > > yes, this is a drawback of that approach, as also noted by Thomas Koch. > For tarballs that are already in the archive, the problem is not so big > (the authoritative file is there, and one cannot accidentally upload > another), but that does not help until the first version is uploaded. I believe that even for existing versions, recording the checksum somewhere in the git repo (potentially on another branch) is helpful, as it ties together the debian packaging and upstream correspondence in a single place, rather than having to dig in other places. But this is really beside Haskell packaging, which is the point under discussion here :) > hackage-security will eventually help here, but that does not exist > yet. ack. thanks! iustin
Attachment:
signature.asc
Description: Digital signature