Hi, On 6/27/24 00:41, Russ Allbery wrote:
The second case seems fine with tag2upload? Particularly if upstream signs the Git tag. Instead of pointing to a possibly signed release tarball, the tag2upload tag points to a signed upstream Git tag. We get basically the same properties and avoid dealing with opaque upstream tarballs.
The one property we don't get is "our orig archive is bitwise identical with what is on upstream's release page" -- which is a *very* important property if I'm being asked to sponsor a package, as it saves me a long investigation.
Obviously this depends on what things are added to the release tarball, and there are a bunch of cases with gnulib, etc., where it's difficult to reproduce what upstream does during the release process for one reason or another. But there are a lot of upstreams for which this is not the case.
In my packages the git tree does not contain any autogenerated files, which means that people using it will have to run autogen.sh. I think pretty much everyone else using autotools is doing the same.
Simon
