All, There is discussion in the 'Simpler git workflow for packaging with upstreamless repositories' thread about the merrits of pristine-tar.
One important value people appear to see is to be able to assert that orig.tar.gz's integrity can be chained back into some data in the git repository. I agree with the value of being able to assert and verify bit-by-bit-identical upstream source tarballs. I'd like to explore if we can achieve the same goal without pristine-tar. How about putting SHA256 checksums of the upstream *.orig.tar.* in, say, debian/upstream/? What do you think about the following DEP/RFC-style specification? /Simon Upstream source tarball checksums: debian/upstream/*SUMS ======================================================== Checksum files are organized on a per-hash filename basis. SHA256 checksums are put in a file debian/upstream/SHA256SUMS. Generally files MUST be parseable by the 2024-era interface of Coreutils checksum tools such as 'sha256sum -c'. New checksum values are added for each new upstream release tarball. Multiple tarballs can be supported, if the Debian package is making use of that feature. The filenames in the *SUMS file should be the *.orig.tar.* filename used within the Debian archive. A checksum of upstream's tarball name MUST be included, as it is retrieved by debian/watch. This normally results in the same checksum value as for the *.orig.tar.* file. Having both checksum lines helps to establish a cryptographic connection from Debian's tarball name to upstream's tarball name. The checksums will be different when Debian re-pack upstream's source tarball, but there is still value in recording the upstream tarball used as a basis for creating the Debian source tarball. Native Debian packages are not supported, as they don't have a reasonable external upstream that can be checksum'ed. Adding support for new algorithms is simple, just add a new file. For backwards compatibility with old tools used in the future, and to establish a known least-supported base-line, the debian/upstream/SHA266SUMS file MUST exist if any debian/upstream/*SUMS files are present, and MUST contain all relevant checksums. There MAY be checksums of auxilliary files -- such as PGP *.asc or *.gpg signatures, Sigsum *.proof files, CMS/PKCS7 signatures, Sigstore cosign artifacts, etc. Comments are supported by beginning each line with a # character, optionally preceed by whitespace.
signature.asc
Description: PGP signature
