From: simon@josefsson.org   
      
   Hi.  I got this failure for golang-github-smallstep-certificates that   
   uses a .gitattribute for export-subst version handling:   
      
    .VERSION | 2 +-   
    1 file changed, 1 insertion(+), 1 deletion(-)   
   git-debpush: check failed: the upstream source in tag v0.29.0 is not identical   
   to the upstream source in refs/heads/debian/latest ('upstream-nonidentical'   
   check)   
      
   I don't pin to upstream git here, but instead imports the tarball, which   
   differs for this file.   
      
   I've learned that your --quilt=gbp mode ignores differences in the   
   upstream top-level .gitignore file.  I really dislike upstream source   
   differences, and have been using --quilt=unapplied to detect this   
   situation and then revert all such changes in my Debian packages.   
      
   However this got me thinking about an improvement here:   
      
   Couldn't you extend --quilt=gbp (or add another quilt mode) that behave   
   the same for .gitignore but for all files in .gitattributes marked with   
   export-subst?   
      
   You'd need a .gitattributes parser, but it is fairly simple.  Any file   
   marked with 'export-subst' would then be subject to the same "ignore"   
   handling as the .gitignore file.   
      
   What do you think?   
      
   Of course, this opens up for supply-chain vulnerabilities planted in   
   differences in those files, but you already have that for .gitignore,   
   and even extending the set further severely limit the scope of such   
   attacks compared to having the same problem for all upstream source code   
   -- while at the same allows a possibly important and growing use-case   
   for version-related export-subst files.   
      
   /Simon   
      
   -----BEGIN PGP SIGNATURE-----   
      
   iQNoBAEWCgMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmmYD28UHHNpbW9uQGpv   
   c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f   
   V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z   
   ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh   
   BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA   
   /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx   
   +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx   
   I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0   
   +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R   
   cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE   
   8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J   
   ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6   
   qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB   
   BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA   
   JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF   
   PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh   
   is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFotaKAQDP/whwPoOP   
   0FRRXBHesebw4GcX/VnGzAjKNoR0UFFzkwEAvk/upMI/CfSmXCUd2pULL1cxgWZa   
   osz9DyGEDS0SWgE=   
   =cxo7   
   -----END PGP SIGNATURE-----   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)