Lucas Nussbaum writes ("Re: Include git commit id and git tree id in *.changes
files when uploading? [and 1 more messages]"):
> But it has something to do with upstream git commits. If
> - upstream tarballs are generated to include the git commit used (as
> with git-archive)
> - and the tarball is not rewritten by uscan
> - and pristine-tar is used
> Then the git commit used by upstream to generate the tarball is
> preserved in Debian's upstream (orig) tarball.
...
> (as a tar pax header).
Interesting. TIL that this is even possible!
I think tag2upload-(re)generated origs (even without pristine-tar
support) have the same property. They are generated with git-archive
and the manpage suggests it includes this information unconditionally.
I picked a recent tag2upload -1 upload, emacs-llama 1.0.3-1. The
build log (sent to the debian-tag2upload list [0]) contains this:
# no orig(s) in archive, generating
+ git deborig 2a89ba755b0459914a44b1ffa793e57f759a5b85
# created orig
It generated this tarball:
db2efcb550a36160efc2799bc774478499ae685e40ecd709b434d65a7df894ed
emacs-llama_1.0.3.orig.tar.xz
And I see this:
xzcat emacs-llama_1.0.3.orig.tar.xz | git-get-tar-commit-id
2a89ba755b0459914a44b1ffa793e57f759a5b85
I looked in debaudit (gosh, impressivwe site btw) and it does show a
previous version of this package, That was also uploaded using
tag2upload, and also involved a tag2upload-generated orig. Your
system says:
https://debaudit.debian.net/git2dsc/result/9bcde2733e81c15c76c1acc09549d4358c21cc9b49d876149cf2bfdb37c27b72
git2dsc report for emacs-llama 1.0.2-1
910 - git-generated dsc identical to archive dsc after normalization
which I think is good?
> That's not a corner case. According to debaudit/orig-check results,
> 57% of our packages in sid (that's 22016 packages) have an orig tarball
> that is bit-identical to the upstream tarball downloaded by uscan.
> Out of those 22016 orig tarball, 7769 (35%) include a git commit
So I think the existing tag2upload system makes this reliable. All
tag2upload-generated origs should have this metadata, and furthemore
the upstream commit mentioned will always be available and findable at
*.dgit.debian.org, even if the Salsa repo has moved or been deleted or
moved.
If we implement support pristine-tar, and users start to use it, this
property may no longer hold: a "pristine" orig tarball from upstream
might be lacking this particular metadata. So arguably pristine-tar
support is a regression!
The root cause of course is that "pristine" upstream tarballs are far
from pristine. The name of the pristine-tar program is a deliberate
joke, on the part of its author, even! What is really pristine is a
tarball generated from git-archive, which is what you are using for
this tracing strategy, and which is what tag2upload (without
pristine-tar) provides.
> For example, interestingly, there are 815 packages where the orig tarball
> commit
> does not match a freshly downloaded upstream tarball. A few examples:
> https://debaudit.debian.net/orig-check/result/00ea060645a90efd84709fa609b02a40081c9dcb0274619cc8246e38f87af1e2
> https://debaudit.debian.net/orig-check/result/015c69f5273e494330073760c1c3b27385d1057c35ceb25dca3a7e90c3d1c8ac
> https://debaudit.debian.net/orig-check/result/01f5dba7b0712cad020f624c5ca28151746845bae88cf7af8a51ed2aa612e08a
> https://debaudit.debian.net/orig-check/result/020f4cd9d4a34aae99df22649ec792d1d53faf1a7bc4c7366d285ec3176b798c
> https://debaudit.debian.net/orig-check/result/02227b8efcf6e905f919f65cb0eb85ee975b925cd305a7db33ed1c8ea6c3bf33
Interesting. Are you able to easily search for such situations where
the upload was done with tag2upload?
Ian.
[0]
https://lists.debian.org/debian-tag2upload/
This list is public, with open subscription, but unfortunately the
web view of the archives is currently broken. The archives are
available to DD's on master.debian.org.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
