Hi Wookey, On Wed, Aug 09, 2023 at 02:30:43PM +0100, Wookey wrote: > I have never tried Helmut's suggestion of removing this stuff in the > clean target. It does seem to me that removing it from the tarball > makes a lot more sense than cleaning it later.
I do see all the advantages of repacking that you and Simon presented. We don't have to argue about them. Simon also pointed at a severe limitation though: When repacking, the upstream signature becomes useless and external parties can no longer verify it at ease. Including that upstream signature increases trust in the source shipped by Debian being good. For cases where we repack anyway (e.g. for licensing reasons), we have broad consensus that we should also delete generated files at the repacking stage. I also see a shift here where we may recommend repacking just for deleting unused files in the absence of an upstream signature. The arguments are convincing to me. Does anyone see a way to enable upstream signature verification with repacked sources? This seems technically incompatible: In order to verify the signature, we really have to ship the original tar and thus get into the licensing mess. So the best we might do here is point at the original tar and signature (hoping that it does not go away) and providing a tool that verifies the signature and establishes that the repacked source really corresponds to the verified tar. Is anyone aware of such tooling? In the absence of such tooling, I continue to see clean-before-build as a valid strategy for dealing with generated files and vendored sources. Helmut
