On Tue, Nov 26, 2024 at 06:54:18PM +0100, Chris Hofstaedtler wrote: > > >> > Yes, as they don't enable pristine-tar > > >> > > >> Is pristine-tar still valuable these days? > > > > > > Unfortunately yes. AFAIK the two options for fixing this that are > > > usually proposed are: > > > > > > 1) treat it as a problem of each individual developer, just like > > > pristine-tar. Instead of pristine-tar, invent new tooling to manage > > > tarballs. > > > This path often tries to solve the problem only for Debian and only > > > in a narrow scenario. > > > > > > 2) Have all uploads always supply a new orig.tar.gz. This could mean > > > either treating every package as Debian-native, or some other > > > solution. > > > This is a global solution and reduces complexity instead of adding > > > to it. > > > > Until we record expected upstream tarball hashes in a debian/* file, an > > acceptable approach seems to be to skip the pristine-tar branch and be > > sure to download the previous orig.tar.* + orig.tar.*.asc from the > > Debian archive, instead of attempting to re-generate it from the > > upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible). > > This is 1). It cannot be done generically as it requires knowing > where to download from, etc.
The archive, when the tarball is already there. These suggestions never discuss what to do when the tarball was never uploaded yet, even I didn't discuss that for simplicity. It makes sense from some PoVs, at least when one doesn't use pristine-tar to make a tarball that has differences in the actual content, not just bit differences in the tarball itself while have identical file contents. -- WBR, wRAR
signature.asc
Description: PGP signature
