Andrey Rakhmatullin <w...@debian.org> writes: > On Tue, Nov 26, 2024 at 06:54:18PM +0100, Chris Hofstaedtler wrote: >> > >> > Yes, as they don't enable pristine-tar >> > >> >> > >> Is pristine-tar still valuable these days? >> > > >> > > Unfortunately yes. AFAIK the two options for fixing this that are >> > > usually proposed are: >> > > >> > > 1) treat it as a problem of each individual developer, just like >> > > pristine-tar. Instead of pristine-tar, invent new tooling to manage >> > > tarballs. >> > > This path often tries to solve the problem only for Debian and only >> > > in a narrow scenario. >> > > >> > > 2) Have all uploads always supply a new orig.tar.gz. This could mean >> > > either treating every package as Debian-native, or some other >> > > solution. >> > > This is a global solution and reduces complexity instead of adding >> > > to it. >> > >> > Until we record expected upstream tarball hashes in a debian/* file, an >> > acceptable approach seems to be to skip the pristine-tar branch and be >> > sure to download the previous orig.tar.* + orig.tar.*.asc from the >> > Debian archive, instead of attempting to re-generate it from the >> > upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible). >> >> This is 1). It cannot be done generically as it requires knowing >> where to download from, etc. > > The archive, when the tarball is already there. > > These suggestions never discuss what to do when the tarball was never > uploaded yet, even I didn't discuss that for simplicity. It makes sense > from some PoVs, at least when one doesn't use pristine-tar to make a > tarball that has differences in the actual content, not just bit > differences in the tarball itself while have identical file contents.
If you haven't made an upload, then wouldn't you have the tarball locally while working on preparing the upload? And if someone doesn't have the orig.tar.gz locally, then why would anyone want to get it from a random git repository, rather than fetching it from the Debian archive or from upstream's release page? What is the use-case here that am I missing? I've always preferred to work with a pristine-tar branch myself, but I'm having trouble coming up with a strong motivation for its existance, so maybe backing down from that preference is a way forward. /Simon
signature.asc
Description: PGP signature
