[Debian-med-packaging] uscan/get-orig-source; identical tarballs
Andreas Tille
andreas at fam-tille.de
Thu Jan 31 12:20:41 UTC 2013
On Thu, Jan 31, 2013 at 09:52:10PM +1100, Dmitry Smirnov wrote:
> > On Mon, Jan 28, 2013 at 10:37:16PM +1100, Dmitry Smirnov wrote:
> > > Your abilities to follow the changes in debian-med are truly awesome. I
> > > was just going to write to you when I've noticed your reply.
> >
> > Well, it's as easy as subsrcibing a mailing list, right? ;-)
>
> Hmm., easy to subscribe but hard to follow many mail lists...
Sure. So *I* am subscribed and when beeing subscribed it is not awesome
to follow the changes - that's all. :-)
> It can be quite time consuming... Perhaps unsubscribing and narrow the focus
> could help...
Sure - I did not intended to recommend subscribing the changes list -
just explaining ...
> > On the pro side of uscan is that I have seen sooo many get-orig-source
> > scripts doing always the same thing (and some of them do it even in a
> > broken way.)
> >
> > For instance when rebuilding the tarball it is a good idea to use
> >
> > tar --owner=root --group=root --mode=a+rX
> >
> > to have some better reproducible results (there are some discussions on
> > debian-devel why it is close to impossible to get an MD5 identical
> > tarball for two different `tar -c` processes - but it is a good thing to
> > try at least to get very similar tarballs. In uscan you can hardwire
> > this knowledge which is not that widely populated amongst DDs.
>
> This is a great advise thank you. Just recently I was updating a package where
> I had to check integrity of previously generated tar.xz.
>
> "--owner=root --group=root --mode=a+rX" arguments helped to achieve more
> predictable results.
Yes. So my idea to recommend uscan was twofold: On one hand it
simplifies get-orig-source and on the other hand there is no need that
people have the knowledge about those options because they are applied
without anny additional means.
> In packages where my get-orig-source generate orig.tar from upstream
> repository checkout I pass something like "--mtime=2012-01-31" to tar (when
> possible) in order to get binary-identical archives. It helps.
This might help to get binary-identical archives but destroys the
original time stamps - something that I personally do not like (also in
VCS checkouts which I personally consider a misfeature.)
Kind regards
Andreas.
--
http://fam-tille.de
More information about the Debian-med-packaging
mailing list