Marcelo E. Magallon wrote:
> Peter is correct. Just a small note: it is VERY important that the
> .orig.tar.gz IS the original tar.gz (the name doesn't matter);
Hmm, I note that the cvs-buildpackage package creates a new .orig.tar.gz
file. If it were *that* important, surely this standard debian tool
would have a way to deal with the issue?
IMO, the advantages of having pristine upstream tarballs are *far*
outweighed by the advantages of CVS. If it's really *that* important to
have pristine .orig.tar.gz's, perhaps a bug should be filed against
cvs-buildpackage?
Note that 1) in many cases, using the pristine upstream tarballs is
either impossible or undesirable, and 2) you already have to trust the
developer to deliver a reliable *binary*, why get all paranoid about the
sources? It doesn't take that long to do a diff -r against the source
trees if you're really curious.
--
Chris Waters [EMAIL PROTECTED] | I have a truly elegant proof of the
or [EMAIL PROTECTED] | above, but it is too long to fit into
http://www.dsp.net/xtifr | this .signature file.
