On Thu, Dec 18, 2025 at 10:26:48AM -0600, Gunnar Wolf wrote: > Hello Adrian,
Hi Gunnar, > Adrian Bunk dijo [Thu, Dec 18, 2025 at 10:56:42AM +0200]: > > > > tag2upload and dgit already do this. > > > ... > > > Are you aware of any attempts to integrate this into dpkg-buildpackage > > > toolchain so systems that build .deb packages can have that metadata > > > field universally and not just via official Debian uploads via > > > tag2upload? > > > > If you want to actually be able to use that for audit purposes, you > > might not want to work with the maintainer-specific mess that Salsa is. > > > > Only debian/ or complete sources? > > debian/patches/ or patches applied? > > One git repository per package, or 1k packages in one git repository? > > The contents of a git tag/commit does sometimes not match the > > contents of the package in the archive with the matching version. > > And a git repository might disappear, or the commit might disappear, > > or the commit was never pushed anywhere. > > The points you mention are all valid. However, I support Otto's idea here — > Git repoistories might disappear, or their history might be rewritten. It > _most often_, however, does not happen — sharing the specific commit from > which a given tree was built costs us _very_ little, and can provide > important information for many use cases. >... the "To be better able to audit the software supply-chain" is the part I disagreed with, not the part about recording some piece of metadata somewhere that might sometimes be useful to someone. > – Gunnar. cu Adrian
