On 16 October 2014 18:01, Thomas Goirand <z...@debian.org> wrote: > Using pristine-tar and pulling from upstream VCS is silly. If you do > like this, then why not just doing tag-based packaging? That's a lot > safer than just re-tagging on top of what upstream does (ie: no risk to > introduce any difference).
If you are fetching the upstream revisions / tags into your packaging repository, you can use the upstream tag exactly as-is, no need to re-tag (and indeed re-tagging would generally be a bad idea). >> Using upstream tags >> *without* using pristine-tar would seem to be inadvisable > > For what reason exactly? In what way pristine-tar helps when basing your > packaging on upstream Git tags? The purpose of pristine-tar is the same whether you base it on a revision fetched from upstream, or a revision created by git-import-orig or a similar tool: it allows you to produce the original byte-for-byte tarball from the git repository, without having to store the tarball itself in the repository in addition to the contents of the tarball. (Although apparently it does not always succeed at doing this...) For most software, the primary distribution mechanism is a tarball released by upstream on their website, their project hosting service, or on a service like PyPI. If such a tarball exists, and is suitable for use in Debian, then having the upstream source in Debian match the tarball distributed by upstream byte-for-byte makes it much easier to verify that the source in Debian is unmodified from the upstream source. This is harder when the tarball is generated from a git tag: the source package does not include the information necessary to match it against the git tag, comparing the individual files is necessary instead of comparing the archive, and producing the upstream source (.orig.tar.gz) will produce a tarball with different bytes every time (even if the file contents will not change). Alternatively, if you will never generate the upstream source from the git repository, then you avoid this problem, but then building a particular package version may require manually fetching the correct tarball from the archive / snapshot.debian.org if they are no longer available from the original source. -- mithrandi, i Ainil en-Balandor, a faer Ambar -- To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/camckhmsh34wrxyyb-bg_qprsugrupadhwswqk4zol+ocids...@mail.gmail.com
