[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] General Resolution to deploy tag2upload

Paul R. Tagliamonte writes ("Re: [RFC] General Resolution to deploy tag2upload"):
> I wonder if we have a good idea of what the project believes to be the case
> between #1 and #2:
> 
> 1) Is the source of a package the debian source distribution?
> 2) Is the source of a package the VCS where the source is held?

IMO (and I realise not everyone is going to agree with me):

Official doctrine in Debian is 1.
For most packages in Debian, the truth is 2.

This is pages 3 and 4 of the slides from my 2023 talk.

  https://wiki.debian.org/DebianEvents/gb/2023/MiniDebConfCambridge/Jackson?action=AttachFile&do=get&target=slides.pdf

> Or, to extend it once more in the context of this discussion --
> should the source be built by a buildd from the "true" source? Why
> do we bother having a maintainer sign this intermediate artifact,
> like we used to with debs?
> 
> Even more extremely -- should we bother with dscs anymore if they're
> just an intermediate artifact?
> 
> Most extremely -- do we need a new dpkg source format? Should
> buildds build off git tags? Do we need to overhaul how we treat
> sources?

Those are all fine ideas, but don't think they are deployable in the
huge Debian ecosystem.  tag2upload is the part of my programme to fix
this in a backward compatible way, without breaking anyone's workflow.

> Galaxy brain extremely -- what does GPL compliance mean if the dsc is not the
> true source? (ok this one isn't serious, there's no doubt it's corresponding
> source :) )

Regardless of legal considerations, I consider the current usual
situation intolerable for precisely these reasons: the actual source
code is only on salsa and is not useable in an automated way.

Sometimes the actual source code isn't on Debian-owned systems at all:
for example, some of the language team monorepo workflows have this
property, particularly those using a tarballs-based upstream
language-specific repository, rather than the git repos those packages
are actually maintained in by their respective upstreams.

IOW, IMO language-specific package repositories that publish tarballs
aren't publishing source code, either.  Thosae tarballs are
intermediate build products just like our .dsc tarballs-and-patches.

Even if the rest of the world is terrible and don't mind mystery meat
software sausage, we in Debian should be doing better than that.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Reply to: