Hello,

On Mon, Jan 08 2018, Ian Jackson wrote:

> Mattia Rizzolo writes ("Bug#886625: push-source should be usable no
>matter the state of the working tree"):
>> On Mon, Jan 08, 2018 at 11:20:08AM +0000, Ian Jackson wrote:
>> > (Now that push-source exists I'm not sure why you would
>> > build-source, really.)
>>
>> To build a .dsc and then pass it to a non supported builder (which
>> means, anything that is not sbuild or gbp, I think).
>
> Right, I sort of realised that in my last message.  Are these mostly
> use cases where a .dsc is wanted rather than a .changes ?

I thought of a case where a .dsc is not sufficient and one needs a
.changes: services like <http://debomatic-amd64.debian.net/>.

To use debomatic you must change the distribution in your changelog to
'unstable' from 'UNRELEASED', build a _source.changes, and then sign the
.changes and .dsc with your PGP key.

I.e. you are only a `dput ftp-master` away from accidentally releasing
your package and you are also trusting debomatic not to leak your signed
_source.changes, which would permit someone else to release your
package.

IMO this is a very bad workflow and so it would be okay if dgit did not
support it.  I.e. dgit should have `export-dsc` and `push-source` only,
and no `build-source` subcommand that builds a _source.changes but does
not upload it.

The user can of course use `dgit build -S`, and in any case, even with
`build-source` they must still invoke debsign themselves.

-- 
Sean Whitton

Attachment: signature.asc
Description: PGP signature

Reply via email to