[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keeping upstream commits separate from Debian packaging commits

On 16 October 2014 18:01, Thomas Goirand <zigo@debian.org> wrote:
> Using pristine-tar and pulling from upstream VCS is silly. If you do
> like this, then why not just doing tag-based packaging? That's a lot
> safer than just re-tagging on top of what upstream does (ie: no risk to
> introduce any difference).

If you are fetching the upstream revisions / tags into your packaging
repository, you can use the upstream tag exactly as-is, no need to
re-tag (and indeed re-tagging would generally be a bad idea).

>> Using upstream tags
>> *without* using pristine-tar would seem to be inadvisable
>
> For what reason exactly? In what way pristine-tar helps when basing your
> packaging on upstream Git tags?

The purpose of pristine-tar is the same whether you base it on a
revision fetched from upstream, or a revision created by
git-import-orig or a similar tool: it allows you to produce the
original byte-for-byte tarball from the git repository, without having
to store the tarball itself in the repository in addition to the
contents of the tarball. (Although apparently it does not always
succeed at doing this...)

For most software, the primary distribution mechanism is a tarball
released by upstream on their website, their project hosting service,
or on a service like PyPI. If such a tarball exists, and is suitable
for use in Debian, then having the upstream source in Debian match the
tarball distributed by upstream byte-for-byte makes it much easier to
verify that the source in Debian is unmodified from the upstream
source. This is harder when the tarball is generated from a git tag:
the source package does not include the information necessary to match
it against the git tag, comparing the individual files is necessary
instead of comparing the archive, and producing the upstream source
(.orig.tar.gz) will produce a tarball with different bytes every time
(even if the file contents will not change).

Alternatively, if you will never generate the upstream source from the
git repository, then you avoid this problem, but then building a
particular package version may require manually fetching the correct
tarball from the archive / snapshot.debian.org if they are no longer
available from the original source.
-- 
mithrandi, i Ainil en-Balandor, a faer Ambar
Reply to: