XPost: linux.debian.devel, linux.debian.policy   
   From: spwhitton@spwhitton.name   
      
   Hello,   
      
   Holger Levsen [10/Feb  3:11pm GMT] wrote:   
   > as I said on the thread on -devel, there are at least two annoying bugs in   
   > tag2upload which make me not want to use it yet and which I think also   
   > prevent suggesting to use it to everyone in all cases.   
   >   
   > (to repeat: a.) impossible to do -1 uploads while preserving existing signed   
   > upstream tarballs and b.) loosing the information that an upload was   
   sponsored.)   
      
   Thanks.  Let me respond to each of these:   
      
   (1) The vast majority of upstreams that newcomers are likely to   
       encounter do not produce tarballs.  Instead, they push signed git   
       tags, and let GitHub/some other forge publish automatically   
       generated tarballs for those that want them.   
      
       It makes no sense to privilege these automatically generated   
       tarballs.  Rather, we should care about the tags the human   
       maintainers sign, which is exactly what tag2upload does.   
      
       There are upstreams that produce signed tarballs and Debian   
       maintainers who are keen on us archiving all those.  But those are   
       overwhelmingly packages maintained by our existing experienced   
       developers, who wouldn't be reading this text anyway.   
      
       So, as one relatively old-timer to another, I would ask you to try   
       to put yourself in the shoes of newcomers and the upstream projects   
       they tend to want to package for Debian when thinking about this.   
      
       It's also the case that we often repack tarballs to remove   
       DFSG-incompatible files, which changes the checksums anyway.   
      
   (2) This is #1116530.  I understand your concern here.  It's unfortunate   
       that the code generating the relevant web view has not been updated   
       yet.  At the same time, tag2upload has already processed hundreds of   
       uploads, and we can expect the uptake to only steadily increase from   
       here.  So we are going to have this problem until the bug is fixed   
       no matter whether dev-ref changes.  Therefore, I don't think it   
       makes sense to block updating dev-ref on this.   
      
   > and there are more limitations to tag2upload as you've described in your   
   patch,   
   > which I think are additional reasons not to suggest tag2upload by default for   
   > everyone, but rather as a special workflow for people who want to experiment   
   > (and/or use) it.   
   >   
   >> +To perform a source-only upload, use the ``git debpush`` program.   
   > [...]   
   >> +package maintainers perform.  However, there are some cases in which a   
   >> +source-only upload is possible but ``git debpush`` cannot be used:   
   >   
   > ^^ this is what I ment in my last paragraph.   
      
   You're right that there are a number of cases we can't handle, but what   
   you didn't quote here is my sentence   
      
       ``git debpush`` covers the vast majority of source-only uploads that   
       Debian package maintainers perform.   
      
   which is true.  The exceptions really are exceptions -- many, perhaps   
   most Debian package maintainers will never encounter them.   
      
   Of course, I wanted to update our docs with all the relevant cases, so I   
   described them.  But that doesn't change the fact that a general   
   recommendation to do source-only uploads with 'git debpush' will suit   
   most contributors just fine, and especially new contributors.   
      
   --    
   Sean Whitton   
      
   --=-=-Content-Type: application/pgp-signature; name="signature.asc"   
      
   -----BEGIN PGP SIGNATURE-----   
      
   iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmmLbkIZHHNwd2hpdHRv   
   bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQC16D/9TcMBEtFeL70b4macm2oq2   
   cZPEiBNr/nwyyhK/uh0UILJs5xlJPsqPQYM9Sxx+SVfpaycCL08YGITYgRkC/ySl   
   31iAfKGBK9uwolnlmPpw3G+r82SdJrZMskQOnLt6c12mrOIxVuv2yWS05UQYOe23   
   FcT/z17yQYjg/aIYBBTIdatFcfuN5XHh2ezTg6dPXZzIaXXIsZDcCtBzf/SbHbtX   
   2RRzBsdYY0Idot8grj2RSu3jYvfr8sUNWqrV5uR+zzde/TA+U74neshwXgMHyfxz   
   5sD/7Lv3pSQKMaiUCiYbRyYt1uu7cUYg6BPQpnLdjbhq5qLk/yaBRU33uC6eBI8h   
   5wA5XET+TETeCuYENEgxFIKSZzkWesNRF7+jmGng2Q+YTlcIqQjdPc5Ivz48twko   
   ywUvg71+UkO/K6KQE+JqFsH7dDkaDK9KqXH27FC2WIuYAGAvUVmjZUiirUdoUKow   
   sGU5sicYis3jqnNiPI25VojUiQ0zwjwi+owne9KbsZyU8C+n8pJvNeEiezolo99r   
   9Nd9CXhP58J/ZZ05pwwCnPHyZfb61zHL0IHVI60CQAhP1Jw8ATxKnQjpj9Nvl7us   
   KN/iqkYj0juo9/3QwRxhPYZgcmQF9A394TZ0a7hQUuEbP5yfx8+HxjPe+RcAvxZU   
   99KLVxzIsgj1eAb5mcpErQ==FHRC   
   -----END PGP SIGNATURE-----   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)