XPost: linux.debian.devel, linux.debian.policy   
   From: simon@josefsson.org   
      
   Simon McVittie  writes:   
      
   >>> "pristine-tar: With a new upstream version, tag2upload will generate a   
   >>> fresh orig tarball with git archive (via git-deborig). This is OK, but   
   >>> it may surprise some users. 1106071."   
   >>   
   >>This is probably the toughest nut, and is mostly a matter of opinion if   
   >>pristine-tar is a good pattern and offers anything useful.   
   >   
   > I think pristine-tar is a bit of a red herring here, and the real   
   > matter of opinion is:   
   >   
   > 1. on one side, some developers/workflows/upstreams place value on having   
   >    the orig.tar.* be the same bytes that were delivered by upstream   
   >    (in particular so we can validate signed tarballs)   
   >    or if that isn't possible for DFSG reasons, at least having the   
   >    orig.tar.* contain everything that upstream delivered in their   
   >    official source release, minus the parts that either copyright law   
   >    or our self-imposed rules require us to remove   
   >   
   > 2. on the other side, some developers/workflows/upstreams(?) place value   
   >    on having the upstream source code be the same filesystem tree   
   >    ("tree-same") that is in upstream's *git repository*, which might or   
   >    might not be closely related to what they release in tarballs if   
   >    any, minus the parts that either copyright law or our self-imposed   
   >    rules require us to remove   
      
   That is a good summary -- and establish that both positions are actually   
   reasonable, or at least not unreasonable, and that they are in conflict.   
      
   I think there are a lot of arguments that try to convince people that   
   only one of those views are objectively right.   
      
   My suggest on how to solve this dilemma is for upstreams to publish   
   cryptographically signed git-archive tarballs.  With those, I believe   
   both camps should get all the properties they are attempting to reach.   
      
   https://blog.josefsson.org/2024/04/01/towards-reproducible-minim   
   l-source-code-tarballs-please-welcome-src-tar-gz/   
   https://blog.josefsson.org/2024/04/13/reproducible-and-minimal-s   
   urce-only-tarballs/   
      
   Some people demand a further approach: replace signed git-archive   
   tarballs with signed git-bundle's to ship the entire git history.  We do   
   this for gnulib, but I think few projects need that.   
      
   /Simon   
      
   -----BEGIN PGP SIGNATURE-----   
      
   iQNoBAEWCgMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmmM4BYUHHNpbW9uQGpv   
   c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f   
   V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z   
   ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh   
   BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA   
   /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx   
   +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx   
   I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0   
   +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R   
   cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE   
   8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J   
   ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6   
   qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB   
   BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA   
   JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF   
   PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh   
   is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFopP7AP4k3sAuDddN   
   AykCR4CjYbtBibReFP/hl7HyZkhwYGkU0QD+I7nLJFiBQI1pz6M07rVdSA/FlmCr   
   aBBKl6BM1YXj4Aw=   
   =Ld1w   
   -----END PGP SIGNATURE-----   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)