Re: Validating tarballs against git repositories

To: Thomas Goirand <zigo@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Validating tarballs against git repositories
From: Stefano Rivera <stefanor@debian.org>
Date: Tue, 2 Apr 2024 23:15:11 +0000
Message-id: <[🔎] 20240402231511.du5idls5vqbl34go@satie.tumbleweed.org.za>
Mail-followup-to: Thomas Goirand <zigo@debian.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] a7bc99eb-0fba-48a7-82c5-8d84ee0b2ba4@debian.org>
References: <2fbfdafc-31f1-43df-be49-f6b0725bfb3e@aerusso.net> <ZgeYAQuIz7DBtunP@thunder.hadrons.org> <20240331223249.gacdgepaofcw6fdc@satie.tumbleweed.org.za> <[🔎] a7bc99eb-0fba-48a7-82c5-8d84ee0b2ba4@debian.org>

Hi Thomas (2024.04.02_22:33:47_+0000)
> Anyways, on the 400+ packages that I maintain within the OpenStack team, I
> did come across some upstream using setuptools-scm. To my experience, using
> the:
> 
> git archive --prefix=$(DEBPKGNAME)-$(VERSION)/ $(GIT_TAG) \
> 	| xz >../$(DEBPKGNAME)_$(VERSION).orig.tar.xz
> 
> workflow out of an upstream always work, including for those that are using
> setuptools-scm.

Then you haven't come across any that are using this mechanism to
install data, yet. You're only seeing the version determination.
You will, at some point run into this problem. It's getting more
popular.

Stefano

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Reply to:

Follow-Ups:
- Re: Validating tarballs against git repositories
  - From: Russ Allbery <rra@debian.org>

References:
- Re: Validating tarballs against git repositories
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Bug#1068289: ITP: wtmpdb -- Y2038 safe wtmp implementation
Next by Date: Re: Validating tarballs against git repositories
Previous by thread: Re: Validating tarballs against git repositories
Next by thread: Re: Validating tarballs against git repositories
Index(es):
- Date
- Thread