On 17.06.24 12:14, Ian Jackson wrote:
[1] "precisely the patches in d/patches" turns out to be extremely complicated in the general case. Different maintainer tooling interprets d/patches differently. dpkg-source and gbp do not agree! There are maintainer workflows and git trees with partially incompatible notions!
That's an important point IMHO.Say I need to apply a security patch to some package's git tree on Salsa. How can I be sure to even create the same source tree as the previous uploader? I don't know which tool the maintainer used, nor the options supplied to it, so I can't.
Thus I need to ignore the maintainer's git tree in favor of "apt-get source", manually apply the fix, upload that to the archive, then apply the (hopefully) exact same patch to the actual git sources. Sorry but WTF? [1]
t2u knows how to build the source and will do it the same way with the security patch applied. Way less margin for error. [2]
[1] I have a ton of sympathy for those DDs (I know of at least three) who decided to pause their involvement with Debian packaging because there still is zero support for a "git make-special-tag && git push builder" workflow.
[2] There'd be even less margin for error if we decided on *one* canonical git-compatible workflow that our maintainers are expected to use, as in a "when somebody converts your package to this structure you don't get to veto them and you don't get to undo their work" policy, but that's at least another decade of Debian-style discussions away.
-- -- regards -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
