Hi, Chris Frey wrote (31 May 2012 22:39:54 GMT) : > Making every maintainer update their package in order to support > hardening seems like the long way around. But so be it. :-)
I agree but the decision was not made this way, so let's deal with it :) > There is no guarantee either that the diffs you look at with git-log > are the same changes that end up in the binary file you get out of > a pristine-tar commit. It is unlikely that they will differ, but > thinking that pristine-tar is somehow closer to the real git sources > than a signed binary tarball from sourceforge is mistaken. There is > a trust gap in both. The xdelta can contain anything. Ah. Looks like you are absolutely right. I never thought of this. Thanks a lot for educating me! :) >> > If I find a way to make git-buildpackage run for you as expected, >> > without pristine-tar, would that be satisfactory? Maybe that's >> > impossible, but I'd really like to get rid of that dependency. [...] > If I stop autogenerating configure in the .orig.tar.gz, and stop > pre-generating html docs in it, which aren't used anyway, it should > be possible for you to import the .dsc file using git-buildpackage > and have a completely empty git-diff between my release tag and your > git-buildpackage master tree. This would allow you to peruse my > upstream git log with certainty that you're actually viewing the > real changes. > I don't think you'll need to use debdiff anymore. Looks great. > [...] > But the diff between the master branch (created by git-buildpackage) and my > barry-0.18.3 tag only contained the autogenerated files for the html docs > and autoconf. Without such cruft in the .orig.tar.gz release, you could > easily import my releases, and review them at will, and use git-buildpackage > however you like. It would make the release files smaller too. This looks like an awesome solution. Let's try it! > The downloads from sourceforge worked just fine from the > command line. Sure. However, the URLs you provided me until now did not. Did I miss a way to get the real download URL from the click-one, without firing up a web browser? > Please let me know what you think of my above plan. If it is > satisfactory, I can release barry-0.18.3-2 soon, and we can see how > our workflows mesh. Yeah, let's try for real soon. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8562b8rdz7....@boum.org
