Quoting Louis-Philippe Véronneau (2024-06-17 07:40:51) > On 2024-06-16 2 h 23 p.m., Russ Allbery wrote: > > > > For the existing source package signatures, a simplified sequence looks > > like this: > > > > human --> (1) dpkg-buildpackage --> (2) debsign --> (3) archive > > > > For tag2upload, a simplified sequence looks like: > > > > human --> (1) Git --> (2) tag2upload --> (3) debsign --> (4) archive > > Please excuse my naiveté, but how do you actually know that your package > "works" with the tag2upload workflow if you're not building anything > locally before pushing? > > By "works", I mean, how have you tested it will build and will pass all > the proper pre-upload tests? As I understand it, neither of above processes ensure that. More accurately, (1) in the first sequence is `dpkg-buildpackage -S` (which might be done as part of a larger process, not called as such, but the *functionality* narrowly relevant for the sequence is only that the human uses a tool to produce a _source_ package (not whatever other tasks the human may or may additionally do). > On my side, I tend to work on a Git tree and when I'm happy with it I > use sbuild to: > > 1. build the source and the binary packages (and thus run build tests) > 2. run Lintian > 3. run autopkgtests > > Only if all of these steps seem OK will I consider signing and uploading > the resulting source package (and yes, in reality what I actually intend > to sign is the Git tree I worked on). > > Implementation notwithstanding, I'd be more than happy to have a "git > $something" replace my use of debsign and dput, but I am genuinely > curious to know why we would make it easier to upload something that > hasn't passed what I believe are important QA steps before uploading? > > Andreas Tille already raised that point in another thread, but the > answer seems to have been that it's already possible. Incentivising such > a behavior doesn't sound positive to me. I rarely call `dpkg-buildpackage -S` directly. Instead I call `debuild`, or some wrapper around that. If tag2upload becomes part of Debian, I would expect debuild and/or some of its wrappers to suppor hooking into tag2upload, for a single command to do both test-building and signing off. In summary, I don't see how this is any different from what we have today. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature