Worst case scenario is when the guy submitting the 3 PR is the XZ hacker. That _did_ happened: https://salsa.debian.org/games-team/empire/-/merge_requests/1 https://salsa.debian.org/games-team/empire/-/merge_requests/2 https://news.ycombinator.com/item?id=39868390
So MR for pristine-tar & upstream branch are too big to review and can never be trusted if they are from newcomers. So we end up closing two MR, doing the "gbp import" ourselves and asking the newcomers to rebase the branch with debian/ dir. A lot of people got lost at some point. Having a magic button somewhere in the tracker or Salsa that basically ask "do the gbp-import" for me would be awesome. Le lun. 18 août 2025 à 14:23, Colin Watson <cjwat...@debian.org> a écrit : > > On Sat, Aug 16, 2025 at 07:14:06AM +0200, Marc Haber wrote: > >And it prompts a question: Integrating a new upstream release means > >changing at least two, in the case of pristine-tar being used three > >branches at once, tightly connected to each other, and possibily an > >external file (the orig tarball). Could a contributor do that with an > >MR? > > I've seen the occasional case where a contributor has submitted a set of > multiple MRs to update all the relevant branches, with notes in the MR > description about needing to review them all together. But it's really > very clunky and I don't think it should be recommended. > > -- > Colin Watson (he/him) [cjwat...@debian.org] >
