Hi Otto and all the others :) On Tue Feb 10, 2026 at 4:54 PM CET, Otto Kekäläinen wrote:
I think a lot of people want to stop doing uploads via ftp/ssh and use git tags instead, but tag2upload / git debpush has design decisions which breaks traditional software provenance assumptions in Debian, such as being able to check bit-for-bit that the tarball was actually the same as from upstream, or store and check upstream signatures.
This is not true. t2u can support pristine-tar, it's just a missing feature. I had started implementing that, but still haven't completed that work. I understand this and many other similar discussions would not happen if I had actually completed my work, and I'm sorry for that.
Thus it is a bit too early to recommend git debpush to newbies. If might be reasonable in the future though with some technical changes,
I do agree. Also, the limitation of having to use something else for NEW uploads is confusing and we should fix it before recommending one single tool.
Please do not expect follow ups from me, as I recently had surgery and will be able to only use my left hand to type for a while.
Bye!
