On Tue, Nov 26, 2024 at 08:49:44PM +0100, Simon Josefsson wrote: > >> > >> > Yes, as they don't enable pristine-tar > >> > >> > >> > >> Is pristine-tar still valuable these days? > >> > > > >> > > Unfortunately yes. AFAIK the two options for fixing this that are > >> > > usually proposed are: > >> > > > >> > > 1) treat it as a problem of each individual developer, just like > >> > > pristine-tar. Instead of pristine-tar, invent new tooling to manage > >> > > tarballs. > >> > > This path often tries to solve the problem only for Debian and only > >> > > in a narrow scenario. > >> > > > >> > > 2) Have all uploads always supply a new orig.tar.gz. This could mean > >> > > either treating every package as Debian-native, or some other > >> > > solution. > >> > > This is a global solution and reduces complexity instead of adding > >> > > to it. > >> > > >> > Until we record expected upstream tarball hashes in a debian/* file, an > >> > acceptable approach seems to be to skip the pristine-tar branch and be > >> > sure to download the previous orig.tar.* + orig.tar.*.asc from the > >> > Debian archive, instead of attempting to re-generate it from the > >> > upstream/ branch (which isn't guaranteed to be bit-by-bit reproducible). > >> > >> This is 1). It cannot be done generically as it requires knowing > >> where to download from, etc. > > > > The archive, when the tarball is already there. > > > > These suggestions never discuss what to do when the tarball was never > > uploaded yet, even I didn't discuss that for simplicity. It makes sense > > from some PoVs, at least when one doesn't use pristine-tar to make a > > tarball that has differences in the actual content, not just bit > > differences in the tarball itself while have identical file contents. > > If you haven't made an upload, then wouldn't you have the tarball > locally while working on preparing the upload? > > And if someone doesn't have the orig.tar.gz locally, then why would > anyone want to get it from a random git repository, rather than fetching > it from the Debian archive or from upstream's release page? What is the > use-case here that am I missing?
Yup, as I said it makes sense. It just feels fragile to me when the "pristine" tarball for a given upstream tag in a given repo is not determined until someone uploads it. And, as I also said, there are use cases (arguably buggy) when the tarball contents is actually modified. -- WBR, wRAR
signature.asc
Description: PGP signature
