Ian Jackson <[email protected]> writes: > Lucas Nussbaum writes ("Re: Include git commit id and git tree id in > *.changes files when uploading? [and 1 more messages]"): >> But it has something to do with upstream git commits. If >> - upstream tarballs are generated to include the git commit used (as >> with git-archive) >> - and the tarball is not rewritten by uscan >> - and pristine-tar is used >> Then the git commit used by upstream to generate the tarball is >> preserved in Debian's upstream (orig) tarball. > ... >> (as a tar pax header). > > Interesting. TIL that this is even possible! > > I think tag2upload-(re)generated origs (even without pristine-tar > support) have the same property. They are generated with git-archive > and the manpage suggests it includes this information unconditionally. > > I picked a recent tag2upload -1 upload, emacs-llama 1.0.3-1. The > build log (sent to the debian-tag2upload list [0]) contains this: > > # no orig(s) in archive, generating > + git deborig 2a89ba755b0459914a44b1ffa793e57f759a5b85 > # created orig > > It generated this tarball: > > db2efcb550a36160efc2799bc774478499ae685e40ecd709b434d65a7df894ed > emacs-llama_1.0.3.orig.tar.xz > > And I see this: > > xzcat emacs-llama_1.0.3.orig.tar.xz | git-get-tar-commit-id > 2a89ba755b0459914a44b1ffa793e57f759a5b85
That would only match upstream commit if 'emacs-llama' pin the tag2upload upstream git commit to the actual upstream git commit, right? Which it does for this package: jas@frallan:~/dpkg/emacs-llama$ git tag -v debian/1.0.3-1 ... [dgit please-upload source=emacs-llama version=1.0.3-1 upstream-tag=v1.0.3 upstream=2a89ba755b0459914a44b1ffa793e57f759a5b85] ... jas@frallan:~/dpkg/emacs-llama$ git log -p -1 origin/upstream/latest commit 2a89ba755b0459914a44b1ffa793e57f759a5b85 (tag: v1.0.3, origin/upstream/latest) ... However, I think for many packages, that is not what is happening, because the tag2upload upstream git commit will be the 'upstream/1.2.3' tag that is created by 'gbp import-orig'. Which is Debian-specific and has only a weak SHA1-collision-vulnerable relationship to the upstream git commit. So the auditability chain to upstream git is weak. This leads to me to believe that it would be better to use 'git-debpush --upstream-tag=v1.2.3' instead of 'git-debpush --upstream-tag=upstream/1.2.3', right? I've been mixing those two styles in my uploads, to experiment with the effect, and pending any recommendations on this. I haven't seen any noticiable difference between these two styles, and mix between them somewhat randomly to gain experience. Is there any advantage to using --upstream-tag=upstream/1.2.3? I thought that the 'git-deborig' design somehow prefered upstream/1.2.3 tag but that could be my mistake (my intuition for all of this is still in training mode and often wrong, it seems). /Simon
signature.asc
Description: PGP signature
