Quoting Marc Haber (2026-02-12 12:35:15) > On Thu, Feb 12, 2026 at 10:25:17AM +0000, Ian Jackson wrote: > >On the question of upstream tarballs vs upstream git, devref > >definitely needs to mention both approaches. I'm firmly of the > >opinion that upstream git should be the preferred recommendation. > > I THINK that we should recommend including the form that upstream > publishes with their signature. [...] > If they publish both and their contents are identical, then we SHOULD > use the signed git tag if this makes it possible to have the > .orig.tar.gz in our archive to have the same checksum than the upstream > tarball. > > If using the signed git tag would result in a different orig.tar.gz in > our archive then we SHOULD be sad (or improve our tools) and in the > mean time use their release tarball (while optionally keeping upstream > git history in our git).
I agree with the other cases (and thanks to spelling them all out explicitly!), but I don't understand the above one. Why SHOULD we we sad if upstream offers two formats and we pick one of them without being able to recreate the other from it? - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
