Andrew Bower writes ("Bug#1117838: git-debpush: git-deborig produces different
orig.tar.xz from tag2upload"):
> pristine-tar branches are so widespread that some people get confused by
> their absence.
This may be true but it is very unfortunate. The way Debian
fetishises tarballs is ridiculous, given that most upstream see them
as a distracting irrelevance at best.
That people are still recommending "gbp import-orig" is very sad.
> the UDD maintainer dashboard now has an 'orig-check' that shows 'ok-ish'
> when tarballs differ only before normalisation. It still shows up as a
> positive result but it seems to penalise packages whose upstreams have
> been through tag2upload.
We need to stop having tooling and documentation in Debian which
encourages doing things the bad way.
> This is unquestionably a trivial report - please feel free to close this
> bug! I only raised it as a possible barrier to adoption. One thing on my
> mind is that contributors are reliant on sponsors being familiar with
> their preferred workflow and that this might channel contributors away
> from trying workflows that might be a better fit for us.
We would very much like help with improving documentation across the
distro to stop recommending obsolete (and harmful[1]) tarball-based
approaches.
I dont think we can do anything aboout this bug, can we, Sean?
Ian.
[1] The xz attack was facilitated by Debian using tarballs as if they
were a sensible upstream artifact. (I don't agree with the prominent
analysis to the contrary.)
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
