Re: Modified tarballs [was: Re: RFS: minidlna (updated package and FTBFS fix)]
On Sat, Jul 23, 2011 at 4:46 AM, Sven Hoexter <firstname.lastname@example.org> wrote:
> On Fri, Jul 22, 2011 at 09:03:07PM -0300, Fernando Lemos wrote:
>> Just to clarify, I find it concerning that we might be accepting
>> source uploads that don't come straight from upstream and don't match
>> what was released upstream. I'm relieved to hear that there is a way
>> to ensure in your specific case that the source is the same as shipped
>> upstream. I wish this was a requirement for new packages entering
> We do it all the time. Just 'dpkg -l|grep dfsg' on your local system
> and you should find plenty of those modified source tarballs.
Yeah, I'm aware of those.
> What I, as an uploader, do in such cases is a diff between the upstream
> provided tarball and what's in the dfsg orig.tar.gz. You can get a
> rough overview with diffstat and then review suspicious additions in
> more detail.
Thanks, that's what I expected to hear.