>>>>> "Paul" == Paul Wise <p...@debian.org> writes:
Paul> Hi all, I noticed that sometimes Debian's choice of upstream
Paul> source for packaging can be suboptimal. This is especially
Paul> apparent for the different per-language upstream packaging
Paul> ecosystems[1], where the upstream packaging differs from the
Paul> upstream VCS in some significant ways, including missing
Paul> files, prebuilt files, embedded copies etc.
Paul> While the upstream VCS also sometimes has these issues, it is
Paul> often much less problematic than the upstream packaging
Paul> ecosystems.
Paul> I'd like to suggest that we standardise on the upstream VCS
Paul> for our orig.tar.gz files and phase out use of upstream
Paul> packaging ecosystems.
I support moving in this direction at least as a strong recommendation.
I think that there will be cases (like the cases you discuss and I
snipped) where using the tarball will be important.
And so if maintainers have a justification for preferring the tarball
rather than VCS, that should be permitted.
But the VCS is a lot more convenient and definitive for most operations.
The types of standardization we're talking about here have value even if
there are exceptions.
So I think it is valuable to move in that direction even if we cannot
get there 100%
I don't think it should block such standardization, but it might be
valuable to have a way to represent the signed git tag or commit we're
using as an upstream. I understand that the verification process would
be different than for an upstream tarball. You'd effectively have to
grab the tree for that tag, verify the signature, and then compare the
contents of the tree to the contents of the vcs-based tarball.
I don't want to see signatures stand in the way of us preferring vcs
long-term.
--Sam
