On Thu, Oct 03, 2024 at 09:51:36PM +0800, Shengjing Zhu wrote:
> On Wed, Oct 2, 2024 at 6:02 PM Robie Basak <robie.basak@ubuntu.com> wrote:
> > If we take a fresh upstream release directly into a stable release
> > update, then it seems to me that it's important to validate that the
> > orig tarball matches what upstream released, or is otherwise
> > reproducible against what upstream released (eg. if it was repacked for
> > the usual reasons).
> > It's not currently a documented hard requirement for SRUs, but I think
> > that it should be, or at least be our default position.
> Why is this only the hard requirement for SRU? IMHO It should be a
> hard requirement for all the uploads.
I agree, and it's something that I as an uploader take care of whenever I am
in a situation of packaging a new upstream version. But there's no
enforcement of it at the archive level (this wouldn't even be meaningful),
so in the devel series we rely on individual uploaders to check/enforce this
(just as we do in Debian).
The SRU process however has an additional review step with the SRU team, so
it is possible to impose such a check at that point.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
