Simon McVittie <[email protected]> writes: >>> "pristine-tar: With a new upstream version, tag2upload will generate a >>> fresh orig tarball with git archive (via git-deborig). This is OK, but >>> it may surprise some users. 1106071." >> >>This is probably the toughest nut, and is mostly a matter of opinion if >>pristine-tar is a good pattern and offers anything useful. > > I think pristine-tar is a bit of a red herring here, and the real > matter of opinion is: > > 1. on one side, some developers/workflows/upstreams place value on having > the orig.tar.* be the same bytes that were delivered by upstream > (in particular so we can validate signed tarballs) > or if that isn't possible for DFSG reasons, at least having the > orig.tar.* contain everything that upstream delivered in their > official source release, minus the parts that either copyright law > or our self-imposed rules require us to remove > > 2. on the other side, some developers/workflows/upstreams(?) place value > on having the upstream source code be the same filesystem tree > ("tree-same") that is in upstream's *git repository*, which might or > might not be closely related to what they release in tarballs if > any, minus the parts that either copyright law or our self-imposed > rules require us to remove
That is a good summary -- and establish that both positions are actually reasonable, or at least not unreasonable, and that they are in conflict. I think there are a lot of arguments that try to convince people that only one of those views are objectively right. My suggest on how to solve this dilemma is for upstreams to publish cryptographically signed git-archive tarballs. With those, I believe both camps should get all the properties they are attempting to reach. https://blog.josefsson.org/2024/04/01/towards-reproducible-minimal-source-code-tarballs-please-welcome-src-tar-gz/ https://blog.josefsson.org/2024/04/13/reproducible-and-minimal-source-only-tarballs/ Some people demand a further approach: replace signed git-archive tarballs with signed git-bundle's to ship the entire git history. We do this for gnulib, but I think few projects need that. /Simon
signature.asc
Description: PGP signature
