Paul R. Tagliamonte writes ("Re: [RFC] General Resolution to deploy
tag2upload"):
> I wonder if we have a good idea of what the project believes to be the case
> between #1 and #2:
>
> 1) Is the source of a package the debian source distribution?
> 2) Is the source of a package the VCS where the source is held?
IMO (and I realise not everyone is going to agree with me):
Official doctrine in Debian is 1.
For most packages in Debian, the truth is 2.
This is pages 3 and 4 of the slides from my 2023 talk.
https://wiki.debian.org/DebianEvents/gb/2023/MiniDebConfCambridge/Jackson?action=AttachFile&do=get&target=slides.pdf
> Or, to extend it once more in the context of this discussion --
> should the source be built by a buildd from the "true" source? Why
> do we bother having a maintainer sign this intermediate artifact,
> like we used to with debs?
>
> Even more extremely -- should we bother with dscs anymore if they're
> just an intermediate artifact?
>
> Most extremely -- do we need a new dpkg source format? Should
> buildds build off git tags? Do we need to overhaul how we treat
> sources?
Those are all fine ideas, but don't think they are deployable in the
huge Debian ecosystem. tag2upload is the part of my programme to fix
this in a backward compatible way, without breaking anyone's workflow.
> Galaxy brain extremely -- what does GPL compliance mean if the dsc is not the
> true source? (ok this one isn't serious, there's no doubt it's corresponding
> source :) )
Regardless of legal considerations, I consider the current usual
situation intolerable for precisely these reasons: the actual source
code is only on salsa and is not useable in an automated way.
Sometimes the actual source code isn't on Debian-owned systems at all:
for example, some of the language team monorepo workflows have this
property, particularly those using a tarballs-based upstream
language-specific repository, rather than the git repos those packages
are actually maintained in by their respective upstreams.
IOW, IMO language-specific package repositories that publish tarballs
aren't publishing source code, either. Thosae tarballs are
intermediate build products just like our .dsc tarballs-and-patches.
Even if the rest of the world is terrible and don't mind mystery meat
software sausage, we in Debian should be doing better than that.
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
