Hello,

Perhaps the following elaborate statement can be condensed (once
sufficient cooling has occurred :-))

1. Once pkg_ver.orig.tar.gz enters the Debian archive this is
considered the authoritative Debian version from which all the binary
Debian packages will be built (for that version of the package). A
signature/checksum is used (in the upload and the Sources.gz file) so
as to detect any "contamination".

2. If re-packaging of upstream sources was required in order to create
this .orig.tar.gz, then this should be documented in the copyright
file (with some further explication in README.Debian-source perhaps).

3. Whenever upstream releases a new version, one needs to create a
pkg_nver.orig.tar.gz for the newer version.

In case this is merely a matter of downloading and renaming an
upstream tar.gz, the "uscan" and "uupdate" programs are adequate and
there is no significant need for a get-orig-source target.

In the case when re-packaging has been done as in (2), it is
a non-trivial convenience if these steps are automated by such
a program or target. Such a program further clarifies the statements
in the copyright file and the README.Debian-source file. (Program as
documentation!)

In the last case, someone who wishes to verify the accuracy of the
statements in the copyright file may also wish to re-generate
pkg_ver.orig.tar.gz to compare it with the Debian version. This
can also be provided for to the extent possible.

If there is any reason to suspect that the pkg_ver.orig.tar.gz was
not in fact created as documented then this constitutes a bug whose
severity would depend on the extent of the discrepancy.

Regards,

Kapil.
--

Attachment: signature.asc
Description: Digital signature

Reply via email to