Re: Include git commit id and git tree id in *.changes files when uploading? [and 1 more messages]

Wed, 07 Jan 2026 01:12:43 -0800 

On 06/01/26 at 11:03 +0000, Ian Jackson wrote:
> Otto Kekäläinen writes ("Re: Include git commit id and git tree id in 
> *.changes files when uploading?"):
> > Hi Ian,
> > > Note that tag2upload doesn't make anything worse, with respect to
> > > upstream git tags.
> > 
> > I know people who push to dgit directly and avoid using tag2upload
> > because of the lack of support for pristine-tar and detached
> > signatures in tag2upload.
> 
> pristine-tar has nothing to do with *git tags*.

But it has something to do with upstream git commits. If
- upstream tarballs are generated to include the git commit used (as
  with git-archive)
- and the tarball is not rewritten by uscan
- and pristine-tar is used
Then the git commit used by upstream to generate the tarball is
preserved in Debian's upstream (orig) tarball.

That's not a corner case. According to debaudit/orig-check results,
57% of our packages in sid (that's 22016 packages) have an orig tarball
that is bit-identical to the upstream tarball downloaded by uscan.
Out of those 22016 orig tarball, 7769 (35%) include a git commit (as a
tar pax header).

For some salsa groups, that's a lot of packages:
                    team                     | count 
---------------------------------------------+-------
 https://salsa.debian.org/python-team        |  1190
 https://salsa.debian.org/js-team            |   963
 https://salsa.debian.org/debian             |   933
 https://salsa.debian.org/go-team            |   923
 https://salsa.debian.org/science-team       |   259
 https://salsa.debian.org/ruby-team          |   255
 https://salsa.debian.org/med-team           |   219
 https://salsa.debian.org/ocaml-team         |   191
 https://salsa.debian.org/openstack-team     |   162
 https://salsa.debian.org/homeassistant-team |   158

I think that those additional data points (bit-identical tarballs,
upstream git commits declared to be used when generating the tarball)
are useful to preserve when possible, because they can help debug supply
chain issues. Giving up on them would be a pity IMHO.

For example, interestingly, there are 815 packages where the orig tarball commit
does not match a freshly downloaded upstream tarball. A few examples:
https://debaudit.debian.net/orig-check/result/00ea060645a90efd84709fa609b02a40081c9dcb0274619cc8246e38f87af1e2
https://debaudit.debian.net/orig-check/result/015c69f5273e494330073760c1c3b27385d1057c35ceb25dca3a7e90c3d1c8ac
https://debaudit.debian.net/orig-check/result/01f5dba7b0712cad020f624c5ca28151746845bae88cf7af8a51ed2aa612e08a
https://debaudit.debian.net/orig-check/result/020f4cd9d4a34aae99df22649ec792d1d53faf1a7bc4c7366d285ec3176b798c
https://debaudit.debian.net/orig-check/result/02227b8efcf6e905f919f65cb0eb85ee975b925cd305a7db33ed1c8ea6c3bf33

Lucas

Reply via email to