Hello, On Tue 29 Oct 2024 at 02:48pm +01, Helmut Grohne wrote:
> Andrey has already said much of what I could add to the thread, but I > think I can slightly clarify the needs of NMUers. > > On Fri, Oct 25, 2024 at 08:45:16AM +0200, Andreas Henriksson wrote: >> I would very much prefer if it was possible in Debian to not allow >> the archive to get out of sync with packaging git repo (for example >> when it lives under salsa.debian.org/debian which uploaders should have >> access to already). > > There are three quite fundamental pieces missing to achieve this. > > There needs to be simple way to turn a git commit into a source package. > If the source of truth ever is to become git, the .dsc becomes an export > format and then this becomes a hard requirement. We can turn git commits > into source packages. The problem is that there is not one way to do > this, but about a hundred and you need to know which package uses which. > That does not scale. > > There needs to be a simple way to figure out the commit that corresponds > to an upload. This problem has been approached in two ways. For one > thing, there is DEP14 recommending a particular tag layout, but I think > this is backwards. It assumes that the git repository is trusted, but in > reality git repositories allow for much wider access than Debian > uploads. What we really needs is a source package to know the commit id > it was generated from. > > These operations need to round-trip. If you take a source package, > identify the git commit and export it to .dsc, it must be functionality > equivalent to what you started with. Timestamps may differ, but file > content or contained files very much not. > > To me, these are hard requirements for using maintainer git > repositories for performing NMUs. > > Now the dgit users among us will be grinning already as what I have > written here, very much reads like a specification of (parts of) dgit. > Once again, I question whether salsa as we use it now is the solution or > the problem. I note that it is practically possible to push your dgit > history to salsa and then NMUers can easily do meaningful MRs for their > uploads even when your maintainer git has changes that have not yet been > uploaded. Well, quite, this is dgit indeed. -- Sean Whitton
signature.asc
Description: PGP signature
