Russ Allbery <r...@debian.org> writes: > #### Misattribution of the source package
For a real life problem that I imagine tag2upload will solve: It is reasonable common that git is the "authoritative source of truth" for the current state of the project. But like it or not mistakes can happen. e.g. somebody applies a security update to the project. And uploads it to Debian. But forgets to do a git push to salsa. Then later on - maybe months. Or years. The packages I deal with don't change frequently. Somebody else makes changes to the git based on the salsa repo. And they push the changes to salsa. And they upload a new version to Debian. But surprise surprise, that version conflicts with the version already in the repo, due to the conflicting Debian version number. If the person is observant they will realize that this is a sign that the git repo is missing a version that is in the Debian upload. i.e. They are missing the security fix. The debian/changelog should make this obvious. And that the git repo is missing the version that has already been uploaded to Debian, and fixing this is now going to be messy. Because the git repo now contains conflicting changes for the same version. Maybe the solution here is to forget about trying add the current Debian version to git, and just worry about including all the required changes for the next release. On the other hand, if they are rushing too much, they may decide just to increment the version number. And suddenly that important security fix has just been dropped. Or maybe due to legacy reasons, the version somehow did get incremented without anyone noticing, no conflict occured on the upload, and the security fix siliently got lost. But: If there was a requirement that the git repo be pushed in order to do the upload to Debian, none of this would have happened. As I imagine would be the case if you used tag2upload. Yes, I have had this scenario happen a number of times now. It is horrible when it does happen. -- Brian May @ Debian
