> > I have one question about the design: How will this behave with > > repackaged sources? > > I think it would behave exactly like non-repackaged origs. The > upstream/<num> tag would contain the repackaged code, and the > pristine-tar data would contain the usual binary diff. pristine-tar does > not "know" that the tarball was repackaged, and tag2upload doesn't care > either. > > Hope it makes sense to you! If you have any doubt, just ask.
Yes, this makes sense. The upstream signature verification chain will be no longer be intact, but anyone auditing the supply-chain will see the file and the +ds or +ds1 suffix and easily figure out that the file intentionally isn't exactly the same anymore. In this case the pristine-tar feature is kind of moot, but it is still of more "transparent" to a potential auditor to let them find the file in the same places in the git history as they expect but with a +ds1 suffix, than to not find it or find a file with original filename but non-original contents and confuse them on where it got changed and why.
