Bruno Haible via Gnulib discussion list <bug-gnulib@gnu.org> writes: > Note that some Debian packages are based on git checkouts as well (e.g. [1]), > for example when there hasn't been a release for a long time. I guess that > your proposal is supposed to improve the situation for such packages > as well?
Alas I think that is a never-ending social battle between Debian packaging and upstreams. Having release tarballs established a boundary between these two entitites, but today the line is blurred by having public version control systems, and when release quality or frequency goes down people seem to track latest git. >> My primary goal is to have something stronger than a HTTPS URL to >> Savannah as a trust anchor for how to retrieve gnulib. PGP signatures >> on a serialized file, like a tarball or git bundle, is stronger. > > Fine with me. Ok let's see if there is some more thoughts on this idea. Timing wise maybe it make sense to push out a "snapshot" Git bundle right before you branch off stable-202501? The Git bundle would then include master up to that point, and the earlier stable-* branches. I suspect it isn't likely that stable-202406 will receive that many commits after stable-202501 has been branched off? I'm not sure if it is a good idea to include the newly created stable-202501 branch in that Git bundle or not. The new branch is likely to keep moving. The purpose of the Git bundle is mostly to establish a known-good stable serialized archival copy of gnulib. That would suggest not including the branch is better, even though it feels a bit surprising. /Simon
signature.asc
Description: PGP signature
