Simon Richter <s...@debian.org> writes: > On 6/27/24 00:41, Russ Allbery wrote:
>> The second case seems fine with tag2upload? Particularly if upstream >> signs the Git tag. Instead of pointing to a possibly signed release >> tarball, the tag2upload tag points to a signed upstream Git tag. We >> get basically the same properties and avoid dealing with opaque >> upstream tarballs. > The one property we don't get is "our orig archive is bitwise identical > with what is on upstream's release page" -- which is a *very* important > property if I'm being asked to sponsor a package, as it saves me a long > investigation. Instead, we have "our orig archive is treesame to the upstream signed Git tag." This seems equivalent? We don't have as simple of tools right now to *check* this property, but that's a fixable problem, and the amount of *information* is the same. By all means, don't use tag2upload if you don't like its upstream tarball handling, and I think supporting pristine-lfs in tag2upload is a good idea to handle the cases where upstream is tarball-centric. (I personally would not be eager to support pristine-tar only because I don't think it's sustainable, but it is very widely used, so my personal opinion may be wrong.) But I do think using the signed upstream Git tag even when they also have a signed tarball release is defensible and a matter of personal preference. > In my packages the git tree does not contain any autogenerated files, > which means that people using it will have to run autogen.sh. I think > pretty much everyone else using autotools is doing the same. Right, but that's a feature, not a bug. If it's just a matter of running the autotools, it's *better*, in my opinion, to start from the Git tag so that you don't have the already-generated files that you are trying to discard sitting around obscuring the situation and possibly still lingering because we have some bug in the code that's supposed to move them aside. I do not currently practice what I preach and currently base the Debian packages for code for which I'm also upstream on signed tarballs, but that's because I'm a creature of habit and haven't gotten around to changing that yet. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
