Re: How to include information about a source package ?
On Tuesday 02 May 2006 00:24, Don Armstrong wrote:
> On Mon, 01 May 2006, George Danchev wrote:
> > On Monday 01 May 2006 22:05, Don Armstrong wrote:
> > > On Mon, 01 May 2006, George Danchev wrote:
> > > > 1) Since debian/copyright already contains the upstream URL I would
> > > > add also the hashes against it in a machine parsable way:
> > > >
> > > > It was downloaded from ftp://ftp.coolsite.org/dir/file-1.2.tar.gz
> > > > md5sum: paranoiccyphers
> > > > sha1sum: extraparanoiccyphers
> > >
> > > That's not useful; far better to look at the original .dsc. Finally,
> > > changing it automatically will just end up with it being the same as
> > > the orig.tar.gz put in the .dsc...
> >
> > We won't have .dsc at that stage at all. The sponsor could checkout
> > my debian/ directory from a scm repo we both have access to or I can
> > send it to him gpg signed and he can start off the reviewing and
> > building process from there. That's all.
>
> In the cases where I'm sponsoring, I expect the sponsee to have built
> the packages, have them ready for uploading, and lintian clean. I then
> check and rebuild the packages myself, but I'm not going to bother
> building them at all if the sponsee hasn't already done that. [I don't
> want to spend time checking a package to find out that it FTBFS in a
> trivial manner, or doesn't work at all.]
I think that it doesn't worth any mentioning that the packages prepared by a
sponsee must be buildable and lintian/linda-clean before pinging the sponsor
to check them out. Packages built by the sponsee are not supposed to go to
the sponsor side, since he must rebuild them anyway to complete his duties.
Also doing so prevent the sponsor of blindly uploading sponsee's packages
without reviewing and rebuildind them as well ;-)
> If I'm a co-maintainer, I'll build from a VCS repository, but that's a
> different situtation entirely.
>
> > > the copyright file isn't designed to have that information in it
> > > in the first place.
> >
> > I do not see why it is not. File uri along a digest(s) is the only
> > way to strictly declare which upstream tarball we are talking about.
>
> A watch file is far better at doing this. The copyright file is meant
> to document the copyrights and licenses present in the upstream
> package, not to be used as a programmatic interface to the upstream
> source location.
I'm almost inclined to agree with you, but how do you declare these copyrights
and licenses which exactly upstream file or files are relevant to. Having a
loose "downloaded from site.org" (although there many packages even without
that information, xorg comes to mind) could be not be enough in cases where
the original file was tempered somehow, e.g. intentionaly or not being
replaced by a file with the same name but with different content. These could
be quite rare cases and not described by Debian normative documents, but this
easily could be a gap? Let's forget for a moment for programmatic interfaces.
Why do you believe I'm not allowed to tightly declare which upstream tarball
I'm refering to with these copyrights and licenses collected into
debian/copyright file.
--
pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu>
fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB
Reply to: