Paul R. Tagliamonte wrote: > I wonder if we have a good idea of what the project believes to be the case > between #1 and #2: > > 1) Is the source of a package the debian source distribution? > 2) Is the source of a package the VCS where the source is held?
Let me rewrite that in a different way: 1) is the source of a package the current version of the code? [*] 2) is the source of a package the complete history of the project? [**] Speaking for myself, I believe the source is "the set of files that are required in order to build the package", that is, the current version, and only that. The history of the project may be useful information as it documents how the code was developed, but it is not necessary in order to build the package AND it is not necessary in order to develop a modified version. One could argue that the "preferred form for modification", as per the GPL, includes anything that might provide useful information to a developer. I consider that a far-fetched interpretation. If the developers wrote a book explaining how they designed the program, that too would be useful information, for pretty much the same reasons, but I don't think anybody would argue that the book would be part of the source. Then the source can be stored and made available in different ways: as a tarball, as a tagged snapshot of a VCS, etc. I see that as a mostly orthogonal issue. Those are simply different ways to retrieve the same set of source files. Different upstreams might indicate a different "canonical way" to obtain the source: download a tarball, check out a Git repository, or whatever. People could choose to follow or not follow the recommendation and obtain the source via other means. What matters is that they end up with the same files. Similarly, I don't see a problem if one signs the .dsc file or the Git tree. What matters is that it can be verified that the source files haven't been tampered with. Any method of signing is fine as long as it achieves that goal. Of course, the signed file(s) must be in the Debian archive, which currently the .dsc file is and the Git tree isn't. [*] "Current" in the context of a specific release, that is, the version of the code that upstream decided to release [**] Strictly speaking, the subset of the complete history that got committed to the project's VCS Gerardo
