On Thu, 2024-06-20 at 12:48 -0700, Russ Allbery wrote:
> Ansgar 🙀 <ans...@43-1.org> writes:
>
> > Let us talk about *today*. How many packages would not be possible to
> > upload via tag2upload if one required a signature covering content of
> > packages? Is it 0.1%? Is it 90%?
[...]
> I personally do not have those numbers. I know there are a huge variety
> of workflows mostly from previous debian-devel discussions, which gives me
> an appreciation for the scope of the problem that tag2upload solves but
> doesn't give me numbers.
>
> I checked on trends.debian.net to see if by
> chance it was trying to collect workflow data, but the closest thing to
> relevant is graphs showing the overwhelming popularity of 3.0 (quilt) as a
> source package format.
>
> I can say that for the packages I maintain personally, 100% of them would
> not be possible to upload this way at some point over time. As mentioned
> previously, I frequently have reasons to carry a Debian-specific patch for
> some period of time (which is a file that's generated at source package
> build time)
And you do not have a working tree containing either the patched source
that would allow computing a integrity hash using 3.0 (native) or
separate debian/patches where 3.0 (quilt) would work?
How do these packages look like? Could you link to them?
If we want to drop integrity checks, I would like to at least know how
many packages would benefit from such a change.
Ansgar
