On Wed, Oct 2, 2024 at 6:02 PM Robie Basak <robie.ba...@ubuntu.com> wrote: > > If we take a fresh upstream release directly into a stable release > update, then it seems to me that it's important to validate that the > orig tarball matches what upstream released, or is otherwise > reproducible against what upstream released (eg. if it was repacked for > the usual reasons). > > It's not currently a documented hard requirement for SRUs, but I think > that it should be, or at least be our default position. >
Why is this only the hard requirement for SRU? IMHO It should be a hard requirement for all the uploads. > I've noticed some matter related to this concern a couple of days > running so I thought it was time to start a thread on this. > > When reviewing an SRU that does this, I usually take steps to verify > this. If it doesn't match (usually due to a repack I cannot reproduce) > then I query it. This is sometimes quite painful to do as I try to track > down an upstream source and some way to validate it. > > We have tooling to make this easy in the majority of cases, with uscan, > debian/watch and debian/upstream/signing-key.asc. I usually run `uscan > --download-current-version`, check that HTTPS or GPG was used, and that > the resulting tarball's hash matches the hash in the upload's changes > file. uscan is great. But for upstream that doesn't work with uscan, maintainers can document it in debian/README.source file, or even add a get-orig-source target in debian/rules[1]. [1] https://www.debian.org/doc/manuals/maint-guide/dreq.en.html#targets -- Shengjing Zhu -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
