> - You explain why there is no debian/watch. I agree with the rationale. > However, I think it will be great > to codify and link this not only on this bug report, but also in the package > itself, in a README.
In addition to Didier's request, from an SRU perspective it would be very helpful if there was an obvious way we could tell that the orig tarball that turns up in the -unapproved queue has been generated in the expected fashion, and that we have a verifiable chain from the tarball in Ubuntu to the tag in upstream's git. It looks like we can mostly do this - the github action publishes the SHA256 of the (zipped) artifact, we can unpack that and verify that orig tarball in that zipfile matches the archive. Can we do the reverse lookup? Given an archive orig tarball, can we find the repository state that matches? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2134482 Title: [MIR] dotnet10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dotnet10/+bug/2134482/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
