If we take a fresh upstream release directly into a stable release
update, then it seems to me that it's important to validate that the
orig tarball matches what upstream released, or is otherwise
reproducible against what upstream released (eg. if it was repacked for
the usual reasons).
It's not currently a documented hard requirement for SRUs, but I think
that it should be, or at least be our default position.
I've noticed some matter related to this concern a couple of days
running so I thought it was time to start a thread on this.
When reviewing an SRU that does this, I usually take steps to verify
this. If it doesn't match (usually due to a repack I cannot reproduce)
then I query it. This is sometimes quite painful to do as I try to track
down an upstream source and some way to validate it.
We have tooling to make this easy in the majority of cases, with uscan,
debian/watch and debian/upstream/signing-key.asc. I usually run `uscan
--download-current-version`, check that HTTPS or GPG was used, and that
the resulting tarball's hash matches the hash in the upload's changes
file.
It might help to understand my position in the other thread by
considering that I have myself been doing this kind of verification for
years when I review SRUs that include orig tarballs.
A few discussion points from this:
0) If you don't agree that this is important, then I guess this an
opportunity to make your point.
1) If you're preparing a relevant SRU, this is a request for you to
please ensure that uscan is set up appropriately with as much security
as upstream offer. Preferably this is done and maintained in the
development release, so by the time an SRU is required, there are no
changes needed to uscan configuration. Since this tooling is
well-established and this is best practice anyway, I trust that this
isn't a controversial request! Note that uscan can do some repacking via
mk-origtargz and Files-Excluded* in debian/copyright.
2) If uscan cannot be made to work, then it would be useful to document
how you arrived at the orig tarball you uploaded.
3) To what extent should this become a documented requirement for SRUs,
main inclusion, etc?
Robie
