Andrey Rakhmatullin <w...@debian.org> writes: > On Sat, Aug 17, 2024 at 12:20:16PM +0200, Andreas Tille wrote: >> My personal preference would be if we make a pristine-tar branch default >> since this is what I observed in the wide majority of cases. > > Note that there are different opionons whether pristine-tar is > needed/viable/useful. There is at least one objective fact that it's hard > to keep working.
Did anyone consider a way to only store meta-information about the source tarballs in the debian/ tree? I'm thinking the SHA-256 checksum of the tarball should be recorded and be part of the signed debian.tar.xz upload. For example, libidn2's debian/source/artifact could contain: Checksums-SHA256: 4c21a791b610b9519b9d0e12b8097bf2f359b12f8dd92647611a929e6bfd7d64 2155214 libidn2_2.3.7.orig.tar.gz Or something like that. If the debian/ tree contained a SHA-256 checksum of the upstream release artifact, it could be used to locate and retrieve the tarballs using any mechanism available, reducing the need for pristine-tar which is fragile (how many checks that the checksum of the pristine-tar tarball matches what's in the debian archive?). It would also strengthen the integrity of the resulting archive, since then there is some way to look at a *.debian.tar.* and git debian/ sub-directory and understand what the intended source code it applies to are. Manually curating the release artifact checksums is what many other packaging systems do, and I think it is a good pattern. /Simon
signature.asc
Description: PGP signature
