Package: dgit-infrastructure Version: 15.7 Sean, tl;dr: would you plese review my wording below under "Maybe we should have something like the following message".
In tag2upload job 4185 we see this https://lists.debian.org/debian-tag2upload/2026/05/msg00762.html The report includes Could perhaps be forced using --deliberately-<something>. See dgit(1). But it ought to have included the hint message ($questionable_head_msg_core et al in dgit-repos-policy-debian). Looking at the code again, it looks like at the time of this job, 0.12-1 was in unstable. So package_questionable_head_msg found that $pkg_exists but not $pkg_secret, and returned undef. That's kind of correct because if had carried on it would have said Package is in NEW and has not been accepted or rejected yet. Which is false. Here, a previous package uploaded with dgit or t2u was "apparently rejected", but actually AFAICT 0.12-1 was uploaded with dput. Maybe we should have something like the following message: Previous git-based (dgit or tag2upload) upload into NEW was superseded by a non-git-based upload (dput) which was subsequently ACCEPTed. We don't know if the non-git-based upload contained a history rewerite. followed by the rest of the usual $questionable_head_msg_core: Unfortunately, we cannot determine automatically what should happen. You will have to pass either --untaint-history (aka --deliberately-include-questionable-history) or --deliberately-not-fast-forward or to specify whether you are keeping or discarding the previously pushed history. The choice is important, to ensure that your git history is both suitable for public distribution and as useful as possible. Please see DEBIAN - TAINTED HISTORY in dgit(7) (from >=forky or trixie-backports) or the descriptions of these options in dgit(1), In this case, the tainted commit bd7e52b037d4 was indeed 0.12-1, which it appears was REJECTed and replaced with 0.12-2. There is no mechanism for automatically determining that what changed between 0.12-1 and 0.12-2 didn't deserve a history rewrite. (dgit can observe that a history rewrite didn't take place, and git-debpush can see that the unwritten history is public). So this package's history will remain tainted until someone does an upload with --untaint-history. Perhaps with the creation of the DFSG and New Packages Team, this whole taint system could be revisited. I'm not sure that whether the automatic tainting has ever saved us from depositing dangerous history on dgit-repos, but surely if there has been any dangerous history it will almost certainly have been published on salsa. Ian. -- Ian Jackson <[email protected]> These opinions are my own. Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
