XPost: linux.debian.devel, linux.debian.policy   
   From: otto@debian.org   
      
   I second Holger's comments. I think a lot of people want to stop doing   
   uploads via ftp/ssh and use git tags instead, but tag2upload / git   
   debpush has design decisions which breaks traditional software   
   provenance assumptions in Debian, such as being able to check   
   bit-for-bit that the tarball was actually the same as from upstream,   
   or store and check upstream signatures.   
      
   The tag2upload service is tightly coupled with dgit, and while dgit by   
   design will never support pristine-tar type of ability to reproduce   
   upstream tarballs bit-for-bit, it should at least have the actual   
   upstream signed tags instead (from upstreams that publish them).   
      
   Thus it is a bit too early to recommend git debpush to newbies. If   
   might be reasonable in the future though with some technical changes,   
   mainly these:   
      
   #1106071 wanted: tag2upload support for pristine-tar   
   #1110269 tag2upload (and dgit?) should deposit upstream tags   
   (+#1106073 dgit should convey upstream git tags to dgit-repos)   
      
   (I didn't find the bug report about sponsored upload metadata, perhaps   
   Holger can reference it)   
      
   There were already suggestions on debian-devel@ that maintainers   
   should use dgit push for the initial -1 upload and git debpush for the   
   -1+N uploads. That is obviously overly complex and shows that this is   
   not ready to be recommended to newbies in the developers reference.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)