Hi Charles, Thanks a lot for taking time to explain it to me.
On 2025-09-12 17:10, Charles Plessy wrote:
Hi Andrius, if we do gbp import-orig with foo.tgz, and then gbp buildpackage, only if we use --pristine-tar we can recreate an orig tarball from scratch that is identical to what we gave to gbp. In the git debpush workflow, the orig tarball is recreated from the Git repository if it does not exist in the Debian archive. It has the same files but not necessarly the same checksum as upstreams source tarball, but this is not a blocker because if we want to do a Debian revision to the source package, we (and tag2upload) can download Debian's version of the upstream source tarball, and therefore keep it stable.
Well, this looks like a serious drawback to me. Not having a bit-by-bit reproducibility we cannot ensure no tampering with the upstream tarball has been done. While this was fine prior to xzutils case, I do not think this is anymore.
Best, Andrius
