Hello, Simon Josefsson [08/Jan 1:09pm +01] wrote: > Doesn't it? 'gbp import-orig --uscan --upstream-vcs-tag=v1.2.3' will > fail with a hard error if v1.2.3 cannot be found and imported to the > upstream branch. Isn't that the property you want?
But if the contents of the tarball differs from the contents of the upstream tag, the contents of the tarball takes precedence. There isn't a way to tell GBP to error out, in that case (which Ian and I would argue ought to be the default). Instead, it unconditionally goes ahead and makes a commit on top of the upstream tag representing the differences. > Maybe it helps to realize to understand where I'm coming from to is to > see that I worry about long-term authenticity and reproducibility of > bit-by-bit identical release artifacts. > > A PGP signature on a 'git archive' tarball is the closest I'm coming to > solve my concern, so pending anything better, that's what I will > recommend. > > If there is a way to implement something with that property with native > git, I would happily give up tarballs. AIUI the file format used by git-bundle(1) is stable and documented. -- Sean Whitton
