On 29.05.19 17:41, Andrey Rahmatullin wrote: >> Perhaps we should update policy to say that the .orig tarball may (or >> even "should") be generated from an upstream release tag where >> applicable. > This conflicts with shipping tarball signatures.
Does that really need to be the upstream's tarballs ? Why not just automatically generating the orig tarballs and fingerprint *them* (not caring about the upstream's tarball at all) ? If it's about validating the source integrity all along the path from from upstream to deb-src repo, we could do that by auditable process (eg. fully automatic, easily reproducable transformations) --mtx -- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering i...@metux.net -- +49-151-27565287
