What is the source code (was: [RFC] General Resolution to deploy tag2upload)

To: Debian vote <debian-vote@lists.debian.org>
Subject: What is the source code (was: [RFC] General Resolution to deploy tag2upload)
From: Gerardo Ballabio <gerardo.ballabio@gmail.com>
Date: Wed, 19 Jun 2024 12:39:18 +0200
Message-id: <[🔎] CA+f80t4e+JvvJ2qTb3_H4b7z7UPXSivbNdD-jJZ-mwEEhuPWAQ@mail.gmail.com>

Paul R. Tagliamonte wrote:
> I wonder if we have a good idea of what the project believes to be the case between #1 and #2:
>
> 1) Is the source of a package the debian source distribution?
> 2) Is the source of a package the VCS where the source is held?

Let me rewrite that in a different way:

1) is the source of a package the current version of the code? [*]
2) is the source of a package the complete history of the project? [**]

Speaking for myself, I believe the source is "the set of files that
are required in order to build the package", that is, the current
version, and only that.

The history of the project may be useful information as it documents
how the code was developed, but it is not necessary in order to build
the package AND it is not necessary in order to develop a modified
version. One could argue that the "preferred form for modification",
as per the GPL, includes anything that might provide useful
information to a developer. I consider that a far-fetched
interpretation. If the developers wrote a book explaining how they
designed the program, that too would be useful information, for pretty
much the same reasons, but I don't think anybody would argue that the
book would be part of the source.

Then the source can be stored and made available in different ways: as
a tarball, as a tagged snapshot of a VCS, etc. I see that as a mostly
orthogonal issue. Those are simply different ways to retrieve the same
set of source files. Different upstreams might indicate a different
"canonical way" to obtain the source: download a tarball, check out a
Git repository, or whatever. People could choose to follow or not
follow the recommendation and obtain the source via other means. What
matters is that they end up with the same files.

Similarly, I don't see a problem if one signs the .dsc file or the Git
tree. What matters is that it can be verified that the source files
haven't been tampered with. Any method of signing is fine as long as
it achieves that goal. Of course, the signed file(s) must be in the
Debian archive, which currently the .dsc file is and the Git tree
isn't.

[*] "Current" in the context of a specific release, that is, the
version of the code that upstream decided to release
[**] Strictly speaking, the subset of the complete history that got
committed to the project's VCS

Gerardo

Reply to:

Follow-Ups:
- Re: What is the source code (was: [RFC] General Resolution to deploy tag2upload)
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: What is the source code (was: [RFC] General Resolution to deploy tag2upload)
  - From: Aigars Mahinovs <aigarius@debian.org>

Prev by Date: Re: [RFC] General Resolution to deploy tag2upload
Next by Date: Re: [RFC] General Resolution to deploy tag2upload
Previous by thread: Re: Eternally paradigmatic Debian discussions...
Next by thread: Re: What is the source code (was: [RFC] General Resolution to deploy tag2upload)
Index(es):
- Date
- Thread