Otto Kekäläinen dijo [Tue, Feb 10, 2026 at 11:54:11PM +0800]:
I second Holger's comments. I think a lot of people want to stop doing
uploads via ftp/ssh and use git tags instead, but tag2upload / git
debpush has design decisions which breaks traditional software
provenance assumptions in Debian, such as being able to check
bit-for-bit that the tarball was actually the same as from upstream,
or store and check upstream signatures.
The tag2upload service is tightly coupled with dgit, and while dgit by
design will never support pristine-tar type of ability to reproduce
upstream tarballs bit-for-bit, it should at least have the actual
upstream signed tags instead (from upstreams that publish them).
Right, Otto's comment resonates with me. My packaging can be considered
old-style in many ways, but I don't want to move away from what has worked
with me for a long time and does not cause any friction. And I use two
tools you have repeatedly spoken against: pristine-tar and quilt.
Thus it is a bit too early to recommend git debpush to newbies. If
might be reasonable in the future though with some technical changes,
mainly these:
#1106071 wanted: tag2upload support for pristine-tar
#1110269 tag2upload (and dgit?) should deposit upstream tags
(+#1106073 dgit should convey upstream git tags to dgit-repos)
+1
There were already suggestions on debian-devel@ that maintainers
should use dgit push for the initial -1 upload and git debpush for the
-1+N uploads. That is obviously overly complex and shows that this is
not ready to be recommended to newbies in the developers reference.
+1
Greetings,
– Gunnar.
