[Debian-med-packaging] uscan/get-orig-source; identical tarballs

Dmitry Smirnov onlyjob at member.fsf.org
Thu Jan 31 10:52:10 UTC 2013 

On Tue, 29 Jan 2013 00:20:15 Andreas Tille wrote:
> On Mon, Jan 28, 2013 at 10:37:16PM +1100, Dmitry Smirnov wrote:
> > Your abilities to follow the changes in debian-med are truly awesome. I
> > was just going to write to you when I've noticed your reply.
> 
> Well, it's as easy as subsrcibing a mailing list, right? ;-)

Hmm., easy to subscribe but hard to follow many mail lists... 
It can be quite time consuming... Perhaps unsubscribing and narrow the focus 
could help...
 
> > > BTW, regarding the get-orig-source target:  A lot of these things could
> > > be done by using the enhanced / not yet officially available uscan
> > > 
> > >    https://wiki.debian.org/UscanEnhancements
> > > 
> > > IMHO the only thing that is not possible to do is the fix permissions
> > > thingy (but this should be reported upstream anyway.  If you are
> > > interested in these uscan enhancements you might like to check this
> > > out.
> > 
> > Thanks for reminding me about it. I've seen your effort regarding
> > improving uscan but frankly I wasn't following it closely.
> > 
> > I prefer get-orig-source to direct uscan invocation because the latter
> > requiring to keep too many command line arguments in mind.
> 
> That's a fair reason to put the uscan call into the get-orig-source target.
> 
> > uscan have many
> > caveats especially if running from top-level directory with more than one
> > package in it or if current-working-directory is not where the package
> > is.
> > 
> > When uscan uses its configuration file its behaviour becomes even less
> > straightforward.
> 
> On the pro side of uscan is that I have seen sooo many get-orig-source
> scripts doing always the same thing (and some of them do it even in a
> broken way.)
> 
> For instance when rebuilding the tarball it is a good idea to use
> 
>    tar --owner=root --group=root --mode=a+rX
> 
> to have some better reproducible results (there are some discussions on
> debian-devel why it is close to impossible to get an MD5 identical
> tarball for two different `tar -c` processes - but it is a good thing to
> try at least to get very similar tarballs.  In uscan you can hardwire
> this knowledge which is not that widely populated amongst DDs.

This is a great advise thank you. Just recently I was updating a package where 
I had to check integrity of previously generated tar.xz.

"--owner=root --group=root --mode=a+rX" arguments helped to achieve more 
predictable results.

In packages where my get-orig-source generate orig.tar from upstream 
repository checkout I pass something like "--mtime=2012-01-31" to tar (when 
possible) in order to get binary-identical archives. It helps.

-- 
All the best,
 Dmitry Smirnov
 GPG key : 4096R/53968D1B

---

I am patient with stupidity, but not with those who are proud of it..
        -- Edith Sitwell

More information about the Debian-med-packaging mailing list