Hi. I got this failure for golang-github-smallstep-certificates that uses a .gitattribute for export-subst version handling:
.VERSION | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
git-debpush: check failed: the upstream source in tag v0.29.0 is not identical
to the upstream source in refs/heads/debian/latest ('upstream-nonidentical'
check)
I don't pin to upstream git here, but instead imports the tarball, which
differs for this file.
I've learned that your --quilt=gbp mode ignores differences in the
upstream top-level .gitignore file. I really dislike upstream source
differences, and have been using --quilt=unapplied to detect this
situation and then revert all such changes in my Debian packages.
However this got me thinking about an improvement here:
Couldn't you extend --quilt=gbp (or add another quilt mode) that behave
the same for .gitignore but for all files in .gitattributes marked with
export-subst?
You'd need a .gitattributes parser, but it is fairly simple. Any file
marked with 'export-subst' would then be subject to the same "ignore"
handling as the .gitignore file.
What do you think?
Of course, this opens up for supply-chain vulnerabilities planted in
differences in those files, but you already have that for .gitignore,
and even extending the set further severely limit the scope of such
attacks compared to having the same problem for all upstream source code
-- while at the same allows a possibly important and growing use-case
for version-related export-subst files.
/Simon
signature.asc
Description: PGP signature
