Chris Hofstaedtler <z...@debian.org> writes: > * Jonathan Dowland <j...@debian.org> [241126 12:59]: >> On Tue Nov 26, 2024 at 10:50 AM GMT, Andrey Rakhmatullin wrote: >> > Yes, as they don't enable pristine-tar >> >> Is pristine-tar still valuable these days? > > Unfortunately yes. AFAIK the two options for fixing this that are > usually proposed are: > > 1) treat it as a problem of each individual developer, just like > pristine-tar. Instead of pristine-tar, invent new tooling to manage > tarballs. > This path often tries to solve the problem only for Debian and only > in a narrow scenario. > > 2) Have all uploads always supply a new orig.tar.gz. This could mean > either treating every package as Debian-native, or some other > solution. > This is a global solution and reduces complexity instead of adding > to it.
Until we record expected upstream tarball hashes in a debian/* file, an acceptable approach seems to be to skip the pristine-tar branch and be sure to download the previous orig.tar.* + orig.tar.*.asc from the Debian archive, instead of attempting to re-generate it from the upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible). I have never understood what value there is in duplicating the uploaded tarball in the git repository. Recording a hash of it is sufficient. But I'm also happy to work with pristine-tar branches when that is the workflow for a particular package. I just wish the tooling handled *.asc files better, and stored them too automatically. /Simon
signature.asc
Description: PGP signature
