On Sunday 28 August 2005 07:43, Junichi Uekawa wrote: --cut-- > > The dpatch-get-origtargz script should have a mechenism to provide a > > hashsum verification, not the sums themselves, which will be provided by > > the packager. E.g.: dpatch-get-origtargz <origtardir> <exact_url> > > <hashsum> I think this could be called from debian/rules to bootstrap the > > fetch and the build at once. > > That's the main problem I see with this approach; the maintainer > has to update the sums.
Well, that is the cost for the control if you the maintainer want the upstream tarball to be fetchable and verifyable from their original locations. You need to update the sum only when you have new upstream tarball, and that is reasonable I think. > Optionally allowing this might be a not-too-bad idea. Well, presently you have almost the same but with no verification possible or at least not except you specially reinvented it every single time you package stuff this way keeping just your debian/ directory in SCM and at the same time the upstream tarball is a command away. I really think that having an option to provide the exact URL to fetch the upstream tarball is good to have around. People building your package need to know for sure that they fetch exactly the tarball you have fetched, built against, and declared that it is ok with you. Now I think it is a good idea to provide this sum verification optionally also for option "5) on the Internet, using the first URL found in debian/watch" We have that for option 4) - the sum of orig.tar.gz is in *.dsc and also signed. Agreed ? ;-) -- pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu> fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
