Control: severity -1 important
Philip Hands writes ("Bug#1124226: dgit: commits created for previous uploads
should be created in the name of the current dgit user"):
> As you can see in this thread from debian-boot:
>
> https://lists.debian.org/debian-boot/2025/12/msg00210.html
>
> Cyril was unpleasantly surprised by the discovery that an upload I had done
> with
> dgit had created git commits in his name that were not his doing.
Firstly, I should say that I'm sorry to Cyril for this.
> I can see why they should be _somehow_ tagged as being his work, given that
> they
> are representations of uploads he did to the archive, but I agree with him
> that
> setting both the Author and Committer seems to overstep the mark by quite a
> margin.
I am inclined to agree, so this was a mistake on my part. I'm raising
the severity of this bug and we will change the way dgit behaves.
> I'd have thought that setting at least one of those to me would have been a
> more
> accurate recording of what happened.
I think the right answer is probably for dgit to set the `committer`
differently. I think we probably ought to retain the `author`.
These commits are the results of importing the source package into
git. They represent the various elements of the upload, including the
tarballs and patches. Those are indeed things that the uploading
maintainer produced; they've been transformed from .changes/.dsc to
git. Setting the `author` is a usual way of providing attribution,
even for things that weren't done as git. (For example, I routinely
use `git commit --author` when importing translations supplied as BTS
attachments.)
I don't think we want to use the git information belonging to the user
running dgit fetch. It is much better if different users importing
the same .dsc get the same commits. So probably we should use some
fixed standard "dummy" user, with "dgit" in it, for the committer.
Regards,
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
