On Tue, Nov 26, 2024 at 04:27:37PM +0100, Simon Josefsson wrote: > >> > Yes, as they don't enable pristine-tar > >> > >> Is pristine-tar still valuable these days? > > > > Unfortunately yes. AFAIK the two options for fixing this that are > > usually proposed are: > > > > 1) treat it as a problem of each individual developer, just like > > pristine-tar. Instead of pristine-tar, invent new tooling to manage > > tarballs. > > This path often tries to solve the problem only for Debian and only > > in a narrow scenario. > > > > 2) Have all uploads always supply a new orig.tar.gz. This could mean > > either treating every package as Debian-native, or some other > > solution. > > This is a global solution and reduces complexity instead of adding > > to it. > > Until we record expected upstream tarball hashes in a debian/* file, an > acceptable approach seems to be to skip the pristine-tar branch and be > sure to download the previous orig.tar.* + orig.tar.*.asc from the > Debian archive, instead of attempting to re-generate it from the > upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible). > > I have never understood what value there is in duplicating the uploaded > tarball in the git repository. Recording a hash of it is sufficient. > But I'm also happy to work with pristine-tar branches when that is the > workflow for a particular package. I just wish the tooling handled > *.asc files better, and stored them too automatically.
One possible rebuttal to this is "gbp needs to do the right thing then". Currently gbp by default generates a broken tarball, which is also a source of confusion for many. -- WBR, wRAR
signature.asc
Description: PGP signature
