Simon Richter writes ("Re: Summary of the current state of the tag2upload
discussion"):
> On 6/25/24 09:38, Brian May wrote:
> > But like it or not mistakes can happen. e.g. somebody applies a security
> > update to the project. And uploads it to Debian. But forgets to do a git
> > push to salsa.
>
> You can only call it "forgetting" to do a git push if you introduce a
> policy that contributions to git-maintained packages have to be made
> through git.
In fact, tag2upload avoids this *even for NMUs made outside git* !
This is because it is possible for a computer to tell that you're
overwriting someone's changes. The debian/changelog will be missing
the previous upload. This situation is detected by `dgit push`.
It's one of the extra safety catches that dgit has - one of the
reasons why using dgit for all your uploads is a good idea.
And, because tag2upload reuses much of the same implementation, this
situation is also detected by tag2upload.
So with tag2upload, you'll get an email report from the t2u server
saying that your upload failed. (Overwriting a non-git-based NMU
can't be detected locally by git-debpush because by definition the
thing you're overwriting isn't in git.)
But, with wide tag2upload adoption, things are even better:
If everyone is using tag2upload[1], we simply avoid the problem,
by avoiding the mistake. This is because git-debpush's default
behaviour is to push your *branch* as well as just the *tag*.
So the original mistake, of forgetting to push to salsa, is simply
avoided, because it's not something human needs to remember to do.
One of the design principles of both dgit and tag2upload is to try to
avoid having humans do work that can be done by computers.
Especially, avoiding humans having to check things, or remember to do
every step in a multi-stage process. These kind of tasks are often
dull, and humans are very bad at them.
So, yes, tag2upload offers an end to accidental reversion of NMUs.
Ian.
[1] Strictly speaking, if everyone is using git-debpush - the
tag2upload tag signing utility that we're providing. If you write the
tag by hand, or with some other tool, then the behaviour might be
different.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
