On Thu, Feb 12, 2026 at 01:26:52AM +0000, Colin Watson wrote:
Well, for my own packages I insist on including upstream git history,
so this certainly wasn't my choice, and it was before my time on the
DPT.
Whlie we are talking about this topic: Many packages have un-autoconfed
sources in their git master, then tag a release, run autoreconf
(optionally setting a version number) on the tree and packagee that up
as their release tarball. Thus, we have the release tag pointing to
different content than what is in the release tarball.
While I do understand that this is the exact workflow that allowed the
xz-attack to happen, this is still the reality especially for pakages on
"Zugschlus' scrap shelf".
How would I:
- convert such a package to have the upstream git history in salsa's
main branch
- still be able to do an upload with upstream's signed origtargz
- probably even have upstream git history in git log of debian/latest?
I guess this would need to fork off upstream's release tags, add the
diff to the release tarball every time, set my own "upstream" release
tag, and merge that into debian/latest. Sadly, rebasing debian/latest on
my own "upstream" release tag wouldn't work since that'd rewrite
debian/latest history every time a new upstream release comes, right?
And uscan probably doesn't suppoer that either, right?
I think that most of the people promoting building debian packages from
upstream git expect upsream to have the release tarballs and the release
tag have the identical contents, if there is a release tarball in the
first place. In my set of packages, this is a rare case.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
