* Simon Josefsson <si...@josefsson.org> [241126 16:27]: > Chris Hofstaedtler <z...@debian.org> writes: > > > * Jonathan Dowland <j...@debian.org> [241126 12:59]: > >> On Tue Nov 26, 2024 at 10:50 AM GMT, Andrey Rakhmatullin wrote: > >> > Yes, as they don't enable pristine-tar > >> > >> Is pristine-tar still valuable these days? > > > > Unfortunately yes. AFAIK the two options for fixing this that are > > usually proposed are: > > > > 1) treat it as a problem of each individual developer, just like > > pristine-tar. Instead of pristine-tar, invent new tooling to manage > > tarballs. > > This path often tries to solve the problem only for Debian and only > > in a narrow scenario. > > > > 2) Have all uploads always supply a new orig.tar.gz. This could mean > > either treating every package as Debian-native, or some other > > solution. > > This is a global solution and reduces complexity instead of adding > > to it. > > Until we record expected upstream tarball hashes in a debian/* file, an > acceptable approach seems to be to skip the pristine-tar branch and be > sure to download the previous orig.tar.* + orig.tar.*.asc from the > Debian archive, instead of attempting to re-generate it from the > upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible).
This is 1). It cannot be done generically as it requires knowing where to download from, etc. > I have never understood what value there is in duplicating the uploaded > tarball in the git repository. Recording a hash of it is sufficient. The hash is sufficient for knowing it changed, but you still have to get the actual tarball from somewhere. Chris
