Thomas Goirand writes ("Re: [RFC] General Resolution to deploy tag2upload"):
> On 6/18/24 10:03, Aigars Mahinovs wrote:
> > The point is that with certain git-centric workflows (like what Russ
> > described for git-debrebase) there never is a *.dsc or a debian.tar.xz
> > or even an orig.tar.gz. Those are never there to be checksummed. And
> > the process for getting from the real git tree that a developer
> > *actually* does their work on and verifies the contents of to these
> > generated source artifacts is sufficiently non-trivial that people end
> > up never actually verifying the files they are signing. The signature
> > on the dsc is signing something that people never actually check.
>
> How do you upload then? There's somewhere a script that actually creates
> the .dsc and .changes files for upload, right?
Typically, and I'm sure Russ is doing this, you run
dgit push-source
That does the git to dsc conversion on your laptop. dgit push works
really well - most of dgit's users seem very happy with it. You can
adopt it today; there are a number of benefits you experience directly
as an uploader.
But: dgit is still complicated; it has many dependencies; it often
needs to download tarballs; manipulation of source packages can be
slow; etc. dgit is working really hard to paper over the many strange
properties of sourcxe packages. That's the work we're trying to move
to a central service.
We want Russ to be able to do these uploads without installing and
runing dgit.
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
