[Pkg-privacy-maintainers] Bug#875252: Bug#875252: torbirdy: debian/watch looks at a page that has no upstream tarball/XPI

[u]

Hi!

intrigeri:
> u:
>> And it turns out I did that because I did not want to unpack and
>> repack an XPI (previously) while I can use a Git branch with
>> a PGP signature.
> 
> Just curious:
> 
>  * doesn't uscan do the unpacking/repacking automatically
>    if it's told so in debian/watch?

Yes. With the xpi-repack otion.

>  * My understanding is that in theory, with:
> 
>       git tag -v XYZ && \
>       gbp import-orig --upstream-vcs-tag=XYZ --uscan
> 
>    … you might get the best of both worlds: automatic generation of
>    the orig tarball based on the artifacts they actually distribute,
>    full upstream Git history merged into our packaging history, and an
>    easy way to compare what's in the Git tag and what's in the
>    tarball/XPI.

See my updates in the packaging, this option is an option in README.source.

>    So I'm curious: what's the drawback of this approach compared to
>    the manual approach I see in debian/README.source, that seems
>    more tedious?

I believe the problem back when I made that change was that there were
no signed XPIs although now I do see them in the upstream repository.

I've now added this option to debian/watch and both approaches result in
the same thing. So it's up to the packager to do whatever s/he likes I
guess.

Cheers!
u.


-- 
Fingerprint: EDE3 F444 3F34 D261 9514  D790 B14B B0C3 8D86 1CF1
XMPP: u at 451f.org
Ricochet: ricochet:fmwr3m22bsn22the
	
"Once you can clearly describe what you are reacting to, free of your
interpretation or evaluation of it, other people are less likely to be
defensive when they hear it." Marshall B. Rosenberg

"Beyond ideas of wrongdoing and rightdoing there is a field. I’ll meet
you there." Rumi