>
> If we take a fresh upstream release directly into a stable release
> update, then it seems to me that it's important to validate that the
> orig tarball matches what upstream released, or is otherwise
> reproducible against what upstream released (eg. if it was repacked for
> the usual reasons).
>
> It's not currently a documented hard requirement for SRUs, but I think
> that it should be, or at least be our default position.
>
Why is this only the hard requirement for SRU? IMHO It should be a
hard requirement for all the uploads.
> I've noticed some matter related to this concern a couple of days
> running so I thought it was time to start a thread on this.
>
> When reviewing an SRU that does this, I usually take steps to verify
> this. If it doesn't match (usually due to a repack I cannot reproduce)
> then I query it. This is sometimes quite painful to do as I try to track
> down an upstream source and some way to validate it.
>
> We have tooling to make this easy in the majority of cases, with uscan,
> debian/watch and debian/upstream/signing-key.asc. I usually run `uscan
> --download-current-version`, check that HTTPS or GPG was used, and that
> the resulting tarball's hash matches the hash in the upload's changes
> file.
uscan is great. But for upstream that doesn't work with uscan,
maintainers can document it in debian/README.source file, or even add
a get-orig-source target in debian/rules[1].
[1] https://www.debian.org/doc/manuals/maint-guide/dreq.en.html#targets
--
Shengjing Zhu
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
