Hi Sean! > > Has somebody else already been thinking about the same? Do others see > > value in this? > > As has been pointed out, tag2upload adds fields for exactly this > purpose. But as you said in another message, we might want to think > about adding fields like you propose for non-tag2upload uploads. > > I think it would be most fruitful for you to wait a little while. I'm > saying this because the tag2upload beta is ending very soon. We have > stopped receiving bug reports that make us think "we have to fix this > before we can end the beta". We are just finishing up three remaining > issues.[1] > > When tag2upload leaves beta, a lot of maintainers will switch over to it > for their uploads, so a lot of uploads will gain the metadata you want.
Good to hear you consider tag2upload soon ready for Debian-wide use. What is the plan of supporting pristine-tar and uploading upstream orig.tar.gz file unmodified? The issue https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106071#40 seems to have ended in only a documentation update in https://salsa.debian.org/dgit-team/dgit/-/merge_requests/264 It would be a pity if we lose the ability to verify detached OpenPGP signatures for the upstreams that do publish both orig.tar.gz and orig.tar.gz.asc. Currently the ability to cryptographically verify authenticity of the upstream sources in a single operation for a lot of packages significantly decreases the amount of files that have to be diffed when auditing what was modified in Debian vs. original upstream. I know your end goal is to stop using tarballs completely and just import git commits directly from upstream, but I think we still need to retain real original .orig.tar.gz tarballs for a some years more until 100% of upstreams use git and 100% of Debian packaging git repositories have the debian/latest branch on top of a real upstream release branch so Debian changes can be diffed in relation to upstream release commits. Having everyone use tag2upload obviously helps ensure that what was uploaded, and what is in git, stays in sync. The metadata allows to check the chain between the Debian archive and the Debian packaging git repo, but we should not make it harder to check the link between Debian and upstream in the process by obsoleting upstream orig.tar.gz in the process. Thanks, Otto
