Lucas Nussbaum writes ("Re: Include git commit id and git tree id in *.changes
files when uploading? [and 1 more messages]"):
> The third line is the interesting one. Some examples are caused by
> repacking, like
> https://debaudit.debian.net/orig-check/result/0b67b4adc5a7fa1b898a29b025e1ac7b9decee8edb666033a4112a64665ba404
> Detailed list for those 143 packages is available at
> https://people.debian.org/~lucas/t2u_wrong_commit.txt
I confess I'm not entirely sure what I'm seeing here.
I think you're saying that these are the packages where the commitid
embedded in the .orig (which we think came from t2u) is not the same
commitid as the one reported by uscan.
Is that right? Or are we talking about treeids?
If it's commitids I am frankly not surprised, because of the
prevalence of (ab)use[1] of gbp import-orig.
If it's treeids then I'm confused because there's a fair few
800 - identical after tarball normalization
and I would have hoped that if the tarballs were "identical after
normalisation" and both made by git-archive, the corresponding
git commits would be treesame.
"700 - tarballs not identical" is more exciting. It's expected when
we see "+ds1" etc., but otherwise, I would think it anomalous if the
maintainer had adopted a git-first workflow. I looked at one from
your list roughly at random:
golang-github-smallstep-certificates 0.29.0-1
The t2u log for that says that it reused an orig from the archive:
downloading golang-github-smallstep-certificates_0.29.0.orig.tar.xz...
# using existing orig(s)
Tracker says that there was 0.29.0-1~exp0 in experimental first.
That seesm to be where the orig came from. That was also a t2u
upload, where we see:
# no orig(s) in archive, generating
+ git deborig 916322e730d9671d709ed8962aec21af04054a72
# created orig
916322e730d9671d709ed8962aec21af04054a72 is a commit by the Debian
maintainer titled "New upstream version 0.29.0". I looked at the
history and it seems like the Debian git history contains *some* of
the upstream git history, but debian/29.0-01 is not a descendant of
the upstream v0.29.0 tag (which I got from github). So the Debian
history is *partly* based on upstream somehow.
The only difference betwen the trees is a .VERSION file. It must have
been introduced by whatever tool the maintainer used to import the
tarball.
Maybe you want to add that to your set of bodges. *sigh*
(Who can say if a .VERSION file would affect the build output.)
This is all very interesting. You are definitely selling me on the
thesis that pristine-tar support in tag2upload being would be helpful
to this kind of audit, rather than a hindrance.
Ian.
[1] Like I say, I think gbp import-orig has good uses, but they are
comparatively rare, while it's used very widely within Debian -
therefore, in circumstance where I wouldn't recommend it.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
