Re: Do we still need pristine-tar?

To: debian-med@lists.debian.org
Subject: Re: Do we still need pristine-tar?
From: Andrius Merkys <merkys@debian.org>
Date: Fri, 12 Sep 2025 17:25:00 +0300
Message-id: <[🔎] 2da3e3df-bd2a-473e-aa7c-a017248aa194@debian.org>
In-reply-to: <[🔎] aMQpynB2vIjDzPwp@bubu.igloo>
References: <[🔎] aMQpynB2vIjDzPwp@bubu.igloo>

Hi Charles,

Thanks a lot for taking time to explain it to me.

On 2025-09-12 17:10, Charles Plessy wrote:

Hi Andrius, if we do gbp import-orig with foo.tgz, and then gbp
buildpackage, only if we use --pristine-tar we can recreate an orig
tarball from scratch that is identical to what we gave to gbp.

In the git debpush workflow, the orig tarball is recreated from the Git
repository if it does not exist in the Debian archive.  It has the same
files but not necessarly the same checksum as upstreams source tarball,
but this is not a blocker because if we want to do a Debian revision to
the source package, we (and tag2upload) can download Debian's version of
the upstream source tarball, and therefore keep it stable.

Well, this looks like a serious drawback to me. Not having a bit-by-bitreproducibility we cannot ensure no tampering with the upstream tarballhas been done. While this was fine prior to xzutils case, I do not thinkthis is anymore.


Best,
Andrius

Reply to:

References:
- Re: Do we still need pristine-tar?
  - From: Charles Plessy <plessy@debian.org>

Prev by Date: Re: Do we still need pristine-tar?
Next by Date: Re: Do we still need pristine-tar?
Previous by thread: Re: Do we still need pristine-tar?
Next by thread: Re: Do we still need pristine-tar?
Index(es):
- Date
- Thread