Hello, On Sat 15 Feb 2025 at 12:10pm +01, Stéphane Glondu wrote:
> Summary to other debian-devel readers: we are facing some upstreams that > publish "official" tarballs that differ from what is in their git. The > differences may include: variable substitutions, generated files... I guess > this is pretty common (cf. autotools). Moreover, the build system behaves > differently if it is called from git or not, or from extracted official > tarballs or not. > > IMHO, traditionnaly, "source code" from Debian point of view is whatever > upstream releases as "official" tarballs (i.e. elpi-2.0.7.tbz), which may > differ from what is in upstream git (i.e. v2.0.7.tar.gz). What makes me think > that is the special care that is taken in keeping upstream tarballs pristine > (with their signatures...). > > Some may consider that this Debian notion of "source code" differs from the > GNU "preferred form of modification", which would rather be what is in > upstream git... or is it? In Debian, we "modify" upstreams by applying patches > on top of them, so I argue that using "official" tarballs is fine as long as > patches used in Debian packaging apply on upstream git as well. > > Anyway, I do think the "GNU" source should be recoverable from the "Debian" > source. Technically, this is usually not the case with variable substitutions, > but IMHO it's acceptable to use the substituted sources most of the time. > > On the other hand, insisting on using upstream VCS contents can lead to ugly > hacks in Debian packaging, such as what you are describing. I must admit I > usually use "official" tarballs to avoid these hacks (and maybe a little out > of laziness). I think that basing our work on upstream Git makes our source packages more useful, and more accurately reflects our commitment to providing the preferred form of modification for everything in our archive. If our work is based on upstream Git then users can clone source packages from salsa (or, better, 'dgit clone' if the maintainer has used 'dgit push-source') and can use powerful tools like 'git blame' and 'git bisect' to understand their bug. With tarballs the granularity of these tools is so much less. -- Sean Whitton
signature.asc
Description: PGP signature
