Package: dgit
Version: 13.5
It has become clear to me in many corridor conversations that,
workflows involving pristine-tar and upstream origs are really very
common. Where upstream origs are not treesame to git (which is
basically, whenever they were not made by git-archive):
1. Existing non-git-first workflows (git-buildpackage) do not report
the discrepancy. They treat the tarball as more authoritative.
2. dgit push-source will fail. tag2upload will fail, even if
we implement pristine-tar support.
Of course no-one should be using these workflows, but we need to think
whether we would rather somehow dismantle this barrier to dgit/t2u
adoption. In practice I think the folks with the vulnerable workflow
are going to keep with their vulnerable workflow anyway.
The obvious way would be to reify the xz attack diff as an extra patch
in d/patches, during git canonicalisation (as we do for .gitignore).
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
