...

builder:work$ dgit -wn -pgit2cl --build-products-dir=3D../bpd --for-push fe= tch experimental
canonical suite name for experimental is rc-buggy
no version available from the archive
dgit: source package git2cl does not exist in suite experimental
# [new]
# package is new in this suite

builder:work$ git deborig b2866e9a66b43855a37e462d17a8ba1ca3c51d90

As I suspected.

(dgit would do the same thing if you didn't have the .orig locally,
but then it would fail - ie providing the .orig would be the user's
job. So using git-deborig there would count as "user error".)

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This URL is helpful

https://api.ftp-master.debian.org/file_in_archive/%25git2cl%5C_3.0.orig.tar.xz

According to the docs:

"""
Check if a file pattern is known to the archive. Note that the
patterns are matched against the location of the files in the
pool, so for %tmux_2.3-1.dsc it will return t/tmux/tmux_2.3-1.dsc
as filename.

.. versionadded:: October 2016

:param filepattern: Pattern of the filenames to match. SQL LIKE
statement wildcard matches are supported, that
is % for zero, one or more characters, _ for a
single character match.
:return: List of dictionaries made out of
- filename
- sha256sum
- component
"""

$ curl -Ss 'https://api.ftp-master.debian.org/file_in_archive/%25git2cl%5C_3.0.orig.tar.xz' | jq
[
{
"filename": "g/git2cl/git2cl_3.0.orig.tar.xz",
"component": "main",
"sha256sum": "c16fb604903d7a370fd15c10323195a3f86e89f5016bdd8e718e9f31d50d323c"
}
]

We then have to find the file in the archive and actually download
it - but dgit has machinery for that already since it knows how to
turn a dsc record from the ftpmaster API into files on the local disk.

This should be a new dgit subcommand `dgit obtain-orig-from-archive`
or something.

One wrinkle is that ideally we want this to work even if the orig
upload is very recent and there hasn't been a mirror pulse. Is there
a way to have the builder go via some Debian-internal method?

Ian.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Ian Jackson writes ("Bug#1105766: [tag2upload 207] failed, git2cl 1:3.0-3 [and 1 more messages]"):

This URL is helpful

https://api.ftp-master.debian.org/file_in_archive/%25git2cl%5C_3.0.orig.tar.xz

I discovered something quite exciting:

$ curl -Ss 'https://api.ftp-master.debian.org/file_in_archive/%25/guile-fibers%5c_1.3.1.orig%25.tar.%25' | jq .
[
{
"filename": "g/guile-fibers/guile-fibers_1.3.1.orig.tar.xz",
"component": "main",
"sha256sum": "9384ce475cb9af6b20b80b36f21c0e6d847517e0b8e5648afb215d4ed6883160"
},
{
"filename": "g/guile-fibers/guile-fibers_1.3.1.orig.tar.gz",
"component": "main",
"sha256sum": "a5e1a9c49c0efe7ac6f355662041430d4b64e59baa538d2b8fb5ef7528d81dbf"
}
]

What should we do in this case? (Also, what if the orig tarball(s)
are supposed to exist, but cannot be obtained from the mirror?)

Options are:

* Don't provide any origs and hope everything works anyway.

Often it will simply fail since dgit's quilt fixup will want those
origs. In principle it might sometimes result in a REJECT, but not
very often I think because dgit push-source will bomb out.

But I think it may have a chance of working anyway.

* Fail right away.

* If some origs are available, somehow pick one (maybe via a
dsc_in_suite query). This seems complicated. And it won't arise
in a purely-git-based workflow where everyone is just using
git-deborig.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Nice example! It is just different in Sid vs experimental, I’m not sure there is any rule against this situation? But it is sub-optimal. I’m not sure other tools doesn’t have this issue too.

What do dgit use the orig.tar for here? Can’t you just look up and put whatever hash is in the archive in the *.changes file, upload it and be done? If there is no match, make up a new orig.tar. If there are multiple matches, pick one using some
strategy.

The xz vs gz is a mess that I think arise from bad interaction between various tools, some claim pristine-tar solve this and some hate pristine-tar. I think different orig.tar in Sid and experimental is orthogonal to pristine-tar though.

/Simon

15 maj 2025 kl. 20:27 skrev Ian Jackson <ijackson@chiark.greenend.org.uk>:

Ian Jackson writes ("Bug#1105766: [tag2upload 207] failed, git2cl 1:3.0-3 [and 1 more messages]"):

This URL is helpful

https://api.ftp-master.debian.org/file_in_archive/%25git2cl%5C_3.0.orig.tar.xz

I discovered something quite exciting:

$ curl -Ss 'https://api.ftp-master.debian.org/file_in_archive/%25/guile-fibers%5c_1.3.1.orig%25.tar.%25' | jq .
[
{
"filename": "g/guile-fibers/guile-fibers_1.3.1.orig.tar.xz",
"component": "main",
"sha256sum": "9384ce475cb9af6b20b80b36f21c0e6d847517e0b8e5648afb215d4ed6883160"
},
{
"filename": "g/guile-fibers/guile-fibers_1.3.1.orig.tar.gz",
"component": "main",
"sha256sum": "a5e1a9c49c0efe7ac6f355662041430d4b64e59baa538d2b8fb5ef7528d81dbf"
}
]

What should we do in this case? (Also, what if the orig tarball(s)
are supposed to exist, but cannot be obtained from the mirror?)

Options are:

* Don't provide any origs and hope everything works anyway.

Often it will simply fail since dgit's quilt fixup will want those
origs. In principle it might sometimes result in a REJECT, but not
very often I think because dgit push-source will bomb out.

But I think it may have a chance of working anyway.

* Fail right away.

* If some origs are available, somehow pick one (maybe via a
dsc_in_suite query). This seems complicated. And it won't arise
in a purely-git-based workflow where everyone is just using
git-deborig.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Simon Josefsson writes ("Bug#1105766: [tag2upload 207] failed, git2cl 1:3.0-3 [and 1 more messages]"):

Nice example! It is just different in Sid vs experimental, I’m not sure there is any rule against this situation? But it is sub-optimal. I’m not sure other tools doesn’t have this issue too.

I think tag2upload created this situation. (It's not a very
desirable one.)

The t2u service ought to have found the existing .orig and reused it,
when it processed your upload to experimental. Instead, it didn't
find it, and then it made a new .orig.tar.xz with git-deborig and
uploaded that.

I think the possibility that this situation can arise means I will
have to implement the a complicated algorithm for orig finding.
Something like this:

* Retain the existing dgit fetch. We need the output of this anyway
because dgit push-source uses it. Doing it separately at the
beginning only costs a 2nd ftpmaster API query dsc_in_suite and a
2nd no-op git fetch.

In a normal NMU targeting the same suite this should always work,
unless maybe the current thing in sid is very new.

* If we don't now have any origs, look to discover existing origs
with a file_in_archive query. Hopefully we find precisely one
.orig.tar.* and possibly some .orig_foo.tar.* (only one of each).

* Thus having determined by API calls what origs we want, we attempt
to obtain them. If this does not work I think we must fail.

* If we don't discover any matching origs then we know we need to
make a new orig and use git-deborig, using the upstream= from the
tag.

* If we discovered some matching origs but there were stems for which
there were several files with the same stem, we don't know which to
choose. I don't see anything other to do but fail in this case.

I will think about this some more and maybe implement it tomorrow.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Another reflection: I'm not sure that API call is the best way to figure
out which orig.tar's are relevant. The canonical source for this is the *.changes file for the particular suite, isn't it? Or secondary, the information in the Sources file on mirrors. So the logic could be
something like:

* For an upload of package X version (E:)Y-Z into suite S where Y is
upstream version and E/Z is the Debian version, try to lookup package
X upstream version Y from Sources on mirrors in suite S, or some
internal API accessing *.changes files (which could be faster than
relying on mirror pulses) and filter for suite S.

* Download the *.orig* files specified in that file.

The API you mention doesn't make any guarantee that you get the right
*.orig* from a particular suite, does it? So it may return unrelated
*.orig* files for some other suite, causing some confusion.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmgm4kIUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFoqaVAQDQxoYCQKoQ m2a8NwdeIIsdxWtIsKTjzbZxqR7htIKKUwEA8zoygZ0zBZ+8kLto5rvSCLc/pEhZ NWSV5XeSB99f8Qc=
=6mRv
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Yeah, some more thinking would be good. Another data point:

https://packages.debian.org/source/unstable/libntlm https://packages.debian.org/source/experimental/libntlm

That is, instead of re-using the libntlm_1.8.orig.tar.gz (which is
identical to upstream's official tarball and carefully constructed to be bit-by-bit reproducible from the git repository using git-archive) and libntlm_1.8.orig.gz.asc, tag2upload created a different
libntlm_1.8.orig.tar.xz and lost the GPG signature.

I think I'm in a minority that cares about these things, and think that
a lot of people have given up on preserving identical tarballs and
retaining GPG signatures. So fixing this may not be a big priority.
But if you can make this work, it would be nice.

I'm also not certain that there is any guarantee that an upload to
experimental has to use the same source tarball as an earlier upload to unstable, for the same upstream version. It may be conceivable that the
reason for the upload to experimental is to get another tarball into the archive, because there were some problem with the sid orig.tar. But
maybe this is mostly a theoretical concern, and using tag2upload may not
be relevant for this situation.

/Simon

Ian Jackson <ijackson@chiark.greenend.org.uk> writes:

Simon Josefsson writes ("Bug#1105766: [tag2upload 207] failed, git2cl 1:3.0-3 [and 1 more messages]"):

Nice example! It is just different in Sid vs experimental, I’m not sure there is any rule against this situation? But it is sub-optimal. I’m not sure other tools doesn’t have this issue too.

I think tag2upload created this situation. (It's not a very
desirable one.)

The t2u service ought to have found the existing .orig and reused it,
when it processed your upload to experimental. Instead, it didn't
find it, and then it made a new .orig.tar.xz with git-deborig and
uploaded that.

I think the possibility that this situation can arise means I will
have to implement the a complicated algorithm for orig finding.
Something like this:

* Retain the existing dgit fetch. We need the output of this anyway
because dgit push-source uses it. Doing it separately at the
beginning only costs a 2nd ftpmaster API query dsc_in_suite and a
2nd no-op git fetch.

In a normal NMU targeting the same suite this should always work,
unless maybe the current thing in sid is very new.

* If we don't now have any origs, look to discover existing origs
with a file_in_archive query. Hopefully we find precisely one
.orig.tar.* and possibly some .orig_foo.tar.* (only one of each).

* Thus having determined by API calls what origs we want, we attempt
to obtain them. If this does not work I think we must fail.

* If we don't discover any matching origs then we know we need to
make a new orig and use git-deborig, using the upstream= from the
tag.

* If we discovered some matching origs but there were stems for which
there were several files with the same stem, we don't know which to
choose. I don't see anything other to do but fail in this case.

I will think about this some more and maybe implement it tomorrow.

Ian.

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmgm30wUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFopWQAQDyPTIAYlcK nuLtL6Z1pvzK54PKUFX04UkeZ7Y/ElnFUwEAvXOOOMjvb41E52bboJ+6TlaPolGk UEEWZML0kJETzQw=T79r
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Simon Josefsson writes ("Re: Bug#1105766: [tag2upload 207] failed, git2cl 1:3.0-3 [and 1 more messages]"):

Another reflection: I'm not sure that API call is the best way to figure
out which orig.tar's are relevant. The canonical source for this is the *.changes file for the particular suite, isn't it? Or secondary, the information in the Sources file on mirrors. So the logic could be
something like:

The .dsc file I think you mean. .changes files are not readily
accessible. (I'm not sure they're accessible at all.)

* For an upload of package X version (E:)Y-Z into suite S where Y is
upstream version and E/Z is the Debian version, try to lookup package
X upstream version Y from Sources on mirrors in suite S, or some
internal API accessing *.changes files (which could be faster than
relying on mirror pulses) and filter for suite S.

We are definitely limited by the ftpmaster APIs available. I don't
think anything involving Sources is tolerable here[1]. But happily:

We can easily look up the version of X in S (Es:Ys-Zs) and get its
.dsc. That will get tell us what origs X_Y.orig*.* belong to
Es:Ys-Zs. If E:Y == Es:Ys (the upstream version we are trying to
upload is the same as the one in S) this will find us the existing
origs.

E:Y < Es:Ys is excluded because uploads must be newer than the current
contents of the suite. Likewise E:Y > Es:Ys means that this upstream
version is new in this suite, so definitely no useful orig is in S.

So that's in fact what is currently implemented, via the additional
`dgit fetch` that t2u runs before thinking about git-deborig.

The part that is missing is the situation where there are origs in
other suites.

The API you mention doesn't make any guarantee that you get the right
*.orig* from a particular suite, does it? So it may return unrelated
*.orig* files for some other suite, causing some confusion.

So, only if the target suite doesn't have it.

That situation is what this bug is about.

Simon Josefsson writes ("Bug#1105766: [tag2upload 207] failed, git2cl 1:3.0-3 [and 1 more messages]"):

That is, instead of re-using the libntlm_1.8.orig.tar.gz (which is
identical to upstream's official tarball and carefully constructed to be bit-by-bit reproducible from the git repository using git-archive) and libntlm_1.8.orig.gz.asc, tag2upload created a different libntlm_1.8.orig.tar.xz and lost the GPG signature.

This is this same bug.

I think I'm in a minority that cares about these things, and think that
a lot of people have given up on preserving identical tarballs and
retaining GPG signatures. So fixing this may not be a big priority.
But if you can make this work, it would be nice.

tag2upload cannot convey a tarball, so for a new upstream version, you
must put up with it generating an orig using use git-archive via
git-deborig. The onoy way to do that would be pristine-tar. See my
other comments about that.

For an existing upstream version t2u should reuse existing origs.
That's what this bug is about.

Are you a user of pristine-tar ?

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Thanks for working on this -- I'm happy to test things once later.

When I read your logic, I am a bit worried that things will break for
multiple archives. And users normally have two archives: debian and debian-security. I'm not sure some of your versioning assumptions
really hold cross-archives. Is this in scope? I suspect debian-
security won't implement tag2upload tomorrow though, so maybe multiple
archives can be deferred. And I recall debian-security do their own source-full uploads too, and don't want orig.tar reuse. I'm not sure
of debian-backports or debian-proposed(-updates) though.

Maybe some reproducible rebuilder folks could provide advice here, the
orig.tar issue comes up often in that context too.

Re pristine-tar, couldn't tag2upload also support that? However there
is no current practice to tag pristine-tar commits, so you'll need to
introduce some new logic here (or demand signed commits?). And get
adoption of that.

I use pristine-tar and used to be a big supporter of it, but there was
a thread on that on debian-devel that some time ago where I couldn't
even convince myself that pristine-tar solves any significant problem.
Both guile-fibers and libntlm uses pristine-tar though, and I created guile-fibers from scratch relatively recently so I guess old habits die
slowly. If tag2upload would support pristine-tar, maybe that is a more reliable way forward, but I think you'll need the logic below anyway as
a fallback.

/Simon

fre 2025-05-16 klockan 11:41 +0100 skrev Ian Jackson:

Simon Josefsson writes ("Re: Bug#1105766: [tag2upload 207] failed,
git2cl 1:3.0-3 [and 1 more messages]"):

Another reflection: I'm not sure that API call is the best way to
figure
out which orig.tar's are relevant.  The canonical source for this
is the
*.changes file for the particular suite, isn't it?  Or secondary,
the
information in the Sources file on mirrors.  So the logic could be something like:

The .dsc file I think you mean.  .changes files are not readily accessible.  (I'm not sure they're accessible at all.)

* For an upload of package X version (E:)Y-Z into suite S where Y
is
  upstream version and E/Z is the Debian version, try to lookup
package
  X upstream version Y from Sources on mirrors in suite S, or some
  internal API accessing *.changes files (which could be faster
than
  relying on mirror pulses) and filter for suite S.

We are definitely limited by the ftpmaster APIs available.  I don't
think anything involving Sources is tolerable here[1].  But happily:

We can easily look up the version of X in S (Es:Ys-Zs) and get its
.dsc.  That will get tell us what origs X_Y.orig*.* belong to
Es:Ys-Zs.  If E:Y == Es:Ys (the upstream version we are trying to
upload is the same as the one in S) this will find us the existing
origs.

E:Y < Es:Ys is excluded because uploads must be newer than the
current
contents of the suite.  Likewise E:Y > Es:Ys means that this upstream version is new in this suite, so definitely no useful orig is in S.

So that's in fact what is currently implemented, via the additional
`dgit fetch` that t2u runs before thinking about git-deborig.

The part that is missing is the situation where there are origs in
other suites.

The API you mention doesn't make any guarantee that you get the
right
*.orig* from a particular suite, does it?  So it may return
unrelated
*.orig* files for some other suite, causing some confusion.

So, only if the target suite doesn't have it.

That situation is what this bug is about.

Simon Josefsson writes ("Bug#1105766: [tag2upload 207] failed, git2cl
1:3.0-3 [and 1 more messages]"):

That is, instead of re-using the libntlm_1.8.orig.tar.gz (which is identical to upstream's official tarball and carefully constructed
to be
bit-by-bit reproducible from the git repository using git-archive)
and
libntlm_1.8.orig.gz.asc, tag2upload created a different libntlm_1.8.orig.tar.xz and lost the GPG signature.

This is this same bug.

I think I'm in a minority that cares about these things, and think
that
a lot of people have given up on preserving identical tarballs and retaining GPG signatures.  So fixing this may not be a big
priority.
But if you can make this work, it would be nice.

tag2upload cannot convey a tarball, so for a new upstream version,
you
must put up with it generating an orig using use git-archive via git-deborig.  The onoy way to do that would be pristine-tar.  See my
other comments about that.

For an existing upstream version t2u should reuse existing origs.
That's what this bug is about.

Are you a user of pristine-tar ?

Ian.

-----BEGIN PGP SIGNATURE-----

iQNTBAAWCAL7FiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmgnH5TCHCYAmDMEXJLO tBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9fV+QlTmXxo2naObDuGtw58YaxlOu0 JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9zZWZzc29uLm9yZz6IlgQTFggAPgIb AwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYhBLHSvRN1vst4TPT4xNc89jjFPAa+ BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA/iR73CfBurG9y8pASh3cbGOMHpDZ fMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx+3TCSAvZkpr4P/FuTzZ8JZe8Brgz BFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAxI2hIX4HK9bQTpNVei708oNr1Klm8 qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0+MTXPPY4xTwGvgUCZ9F0SgUJDWRm SQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9RcisI/kdFogUCXJLPgQAKCRBRcisI /kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE8GZHYNuFHmM9FEQS6AD6A4x5aYvo Y6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4JENc89jjFPAa+wUUBAO64fbZek6FP lRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6qobB9mkZlZ0qihy1x4JRtflqFcqq T9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UBBQEBB0AxlRumDW6nZY7A+VCfek9V pEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggAJgIbDBYhBLHSvRN1vst4TPT4xNc8 9jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjFPAa+0M0BAPPRq73kLnHYNDMniVBO zUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIehis3Uw2BzGZE6ttXQ2Q+DeCJO3TPp IqaXDAAKCRBRcisI/kdFog52AP93N5SzZere/hJCueWuyxex+4oRTzgyd9plJuZD ap2ZAwD/bWGHwj7Ito02EvegGdFyu+Cij0qKWkh7qTEuzfQndAY=
=PXPH
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

NB this message is sent to *two* bugs, including a non-t2u one.
Please try to keep this subthread very narrowly focused.

Simon Josefsson writes ("Bug#1105766: [tag2upload 207] failed, git2cl 1:3.0-3 [and 1 more messages] [and 1 more messages]"):

When I read your logic, I am a bit worried that things will break for multiple archives. And users normally have two archives: debian and debian-security. I'm not sure some of your versioning assumptions
really hold cross-archives.

Indeed, they don't. So with the code as it stands a security upload
done with t2u might involve a regenerated .orig.tar.gz which is
undesirable.

But right now uploads to security aren't supported at all.
The underlying bug for that is #1050143.

Maybe some reproducible rebuilder folks could provide advice here, the orig.tar issue comes up often in that context too.

In practice rebuilding archives with git-archive often reproduces the
same orig, but I don't think that would be good enough for security
uploads. I think we would need to tell the t2u service that "this
security archive has this other archive as a parent, and you should
look for origs there too".

Ian.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Control: tag -1 pending

I have a branch with what I think is the fix:
https://salsa.debian.org/dgit-team/dgit/-/merge_requests/187

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)