On 2025-02-15 12:33:16 +0100 (+0100), Daniel Gröber wrote:
[...]
I'm not that particular upstream, but with my upstream hat for other
projects on, there's a lot of data in a Git repository that our
source tarball build process relies on but isn't strictly files in
the checked-out worktree: names and addresses of all commit authors,
most recent tag in the checkout's history and number of commits
following it, presence of certain footer lines in commit messages
after the most recent tag, tags in the checkout's history matching a
specific pattern which come immediately after the introduction of
each file in a certain directory... these are things easily queried
from a (non-shallow) clone of the repository but which aren't simple
string substitutions.

There are several reasons for this complexity: First and foremost,
when these projects started Git was still fairly new on the scene,
and most distros preferred or even required source tarballs for
packaging. Second, the projects' maintainers were burned on multiple
occasions by mistakes where metadata duplicated from Git committed
into the file tree ended up out of sync or straddling release
points, so developed ways to avoid the duplication and risk of
divergence by extracting that data from Git at dist build time.
Third, because the projects needed to deal with heavy volumes of
development activity from many contributors in parallel, they relied
on a distributed parallel approval model with the fewest possible
coordination chokepoints, so needed to support independent features
merging in arbitrary order with things like release notes sorted out
automatically whenever a release got tagged.

I would argue that our source tarballs don't exactly "differ" from
what's in Git; they include content which isn't solely represented
by the worktree files in a corresponding checkout, but is still data
extracted from the corresponding Git repository state. Downstream
distros can choose to use our official signed release source
tarballs, or run the tarball build process themselves from a full
checkout of our Git repositories, but just naively dumping the file
tree from a git checkout or even using a shallow clone is inadequate
and we expressly do not support those workflows (if someone insists
on doing that, it's on them to make it work, and to check that
they're not omitting things the copyright license references such as
a generated authors file).

Unfortunately, package maintainers sometimes like to insist that
upstream projects' workflows are "wrong" because the choices they've
made differ from how other projects might choose to develop
software, but communities are unique and often face different
challenges that need their own solutions or aren't willing to
compromise by adopting partial solutions popular elsewhere just to
conform.

Hi,
That divergence is reflected between the official upstream tarballs and
the tarballs that can be downloaded from their GitHub releases page.

There is a similar issue with Gradle where there are official "source
distributions" ZIPs [1] (generated by gradle as part of its build) and
not-really-that-much-less-official release tarballs [2] automatically
generated by GitHub. The divergence between both is shown at [3].

In the case of Gradle, as the official source ZIPs are lacking
documentation files that I think are important (e.g. LICENSE) I switched
to using GitHub tarballs, and will probably switch again to use uscan's
mode=git as it's simpler to configure and more reliable for large
projects that release often. That mode could end up being adopted by the
Java Team for all projects hosted on GitHub for that reason, and also
because it seems easier to convince upstream projects to sign their
release tags than to sign their release tarballs. In this specific case
however I also believe that the upstream project should fix their source
archives generation.

In the case of curl, I believe that for Debian using the official
tarball is fine. If I had to use their upstream git repo for Debian
packaging, I would probably write a small custom script that runs their
maketgz script and can be used in the watch file to regenerate
official-like "original" tarballs the same way as upstream.
I think that this is a reasonable approach that would make the build a
lot less brittle, and that should be submitted upstream.

Cheers,


[1]: https://services.gradle.org/distributions/
[2]: https://github.com/gradle/gradle/tags
[3]:
https://salsa.debian.org/jpd/gradle/-/blob/287ae5c99790f266e242964321955f7c77f397df/debian/wip/delta-ghtar-gradlezip

This is a false dichotomy, though. It's perfectly possible to use both
in conjunction with each other, by importing a tarball on top of an
upstream git tag so that the differences between them are represented by
a git commit. There are various tools in Debian to help with this.

I don't understand: it never was about packaging a random git commit.

Upstream works on code in a preferred form, and tags a definite commit
as being version 3.14159. This gets in some tarballs already in some
cases (github comes to mind) ; call that source-level-zero.
tagging) ; often some autotools, 'dune' on the package which started
this thread, but rust/js/ruby/whatever also have their own. This tool
turns the git commit tree into some pre-compiled tree, put into another
tarball. Call this source-level-one.

The point I made about the elpi package is that we want to ship source-
zero, as that's what upstream works on. This is in line with Debian
shipping autotools-based packages but re-running the autotools before
they run configure again.
Well, "use what upstream publishes" sounds nice until you look at the
landscape :

- many Python upstreams use pypi and consider that their pypi package
is what they publish ;

- many JavaScript upstreams use npm and consider that their npm package
is what they publish ;

- many Rust upstream use cargo and consider that their cargo package is
what they publish ;

- many OCaml upstreams use opam and consider that their opam package is
what they publish ;

- many Coq upstreams use a sub-distribution of opam (the Coq Platform)
and consider this is what they publish ;

- etc.

There is a huge confusion in many upstream's heads that putting their
software on people's computers is what "distributing" means. The fact
that their software is only semi-coherent with the system (only within
a certain programming language boundary) is a problem.

Debian is a whole-system distribution ; we make sure software works in
a coherent system-wide way, and basing our packages on code which has
already been pre-package for a subpar distribution (language-limited)
isn't a good option.

Cheers,

J.Puydt

Hello,
The Debian project officially disagrees with you.

The preferred form for modification, which is what NEW cares about, is
determined by upstream's actual practices, not by their fiat.

We frequently reject packages from NEW because we have minified files;
we add the source to debian/missing-sources/.