On Thu, Oct 03, 2024 at 09:51:36PM +0800, Shengjing Zhu wrote: > On Wed, Oct 2, 2024 at 6:02 PM Robie Basak <robie.ba...@ubuntu.com> wrote:
> > If we take a fresh upstream release directly into a stable release > > update, then it seems to me that it's important to validate that the > > orig tarball matches what upstream released, or is otherwise > > reproducible against what upstream released (eg. if it was repacked for > > the usual reasons). > > It's not currently a documented hard requirement for SRUs, but I think > > that it should be, or at least be our default position. > Why is this only the hard requirement for SRU? IMHO It should be a > hard requirement for all the uploads. I agree, and it's something that I as an uploader take care of whenever I am in a situation of packaging a new upstream version. But there's no enforcement of it at the archive level (this wouldn't even be meaningful), so in the devel series we rely on individual uploaders to check/enforce this (just as we do in Debian). The SRU process however has an additional review step with the SRU team, so it is possible to impose such a check at that point. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
