Hello, Perhaps the following elaborate statement can be condensed (once sufficient cooling has occurred :-))
1. Once pkg_ver.orig.tar.gz enters the Debian archive this is considered the authoritative Debian version from which all the binary Debian packages will be built (for that version of the package). A signature/checksum is used (in the upload and the Sources.gz file) so as to detect any "contamination". 2. If re-packaging of upstream sources was required in order to create this .orig.tar.gz, then this should be documented in the copyright file (with some further explication in README.Debian-source perhaps). 3. Whenever upstream releases a new version, one needs to create a pkg_nver.orig.tar.gz for the newer version. In case this is merely a matter of downloading and renaming an upstream tar.gz, the "uscan" and "uupdate" programs are adequate and there is no significant need for a get-orig-source target. In the case when re-packaging has been done as in (2), it is a non-trivial convenience if these steps are automated by such a program or target. Such a program further clarifies the statements in the copyright file and the README.Debian-source file. (Program as documentation!) In the last case, someone who wishes to verify the accuracy of the statements in the copyright file may also wish to re-generate pkg_ver.orig.tar.gz to compare it with the Debian version. This can also be provided for to the extent possible. If there is any reason to suspect that the pkg_ver.orig.tar.gz was not in fact created as documented then this constitutes a bug whose severity would depend on the extent of the discrepancy. Regards, Kapil. --
signature.asc
Description: Digital signature
