Drop generation of debian/watch for GitHub projects and use Archive instead

[ottok]

In devscripts since 2.25.19 uscan automatically discovers GitHub upstream tarballs when debian/upstream/metadata contains the Archive: GitHub and Repository fields. Since dh-make-golang already writes this file and only supports GitHub-hosted projects, the watch file is now redundant.

Removing it avoids maintenance overhead and confusion for new maintainers who might otherwise believe the file is required.

This also prevents Lintian from nagging about watch file format v4.

[guilherme-puida]

I think this makes uscan misbehave when upstream does not tag releases. I built this branch locally and tried dh-make-golang make -type l github.com/tscholl2/siec. Running uscan --report-status after results in:

uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: Found debian/upstream/metadata instead of debian/watch, trying to read it
uscan info: package="golang-github-tscholl2-siec" version="0.0~git20240310.c2c6f61-1" (as seen in debian/changelog)
uscan info: package="golang-github-tscholl2-siec" version="0.0~git20240310.c2c6f61" (no epoch/revision)
uscan info: ./debian/changelog sets package="golang-github-tscholl2-siec" version="0.0~git20240310.c2c6f61"
uscan warn: In /tmp/K8Cfn3Gdka/watch no matching files for watch source
  https://api.github.com/repos/tscholl2/siec/git/matching-refs/tags/
uscan info: Process watch file at: /tmp/K8Cfn3Gdka/watch
    package = golang-github-tscholl2-siec
    version = 0.0~git20240310.c2c6f61
    pkg_dir = .
uscan info: Parsing downloadurlmangle: s%(api.github.com/repos/[^/]+/[^/]+)/git/refs/%$1/tarball/refs/%g
uscan info: Parsing filenamemangle: s%.*/(?:[^/]+(?<=(?:\D|alpha|beta|rc))\-)?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*))%golang-github-tscholl2-siec-$1.tar.gz%
uscan info: Parsing pgpmode: none
uscan info: Parsing searchmode: plain
uscan info: Parsing versiontype: (?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*))
uscan info: Last orig.tar.* tarball version (from debian/changelog): 0.0~git20240310.c2c6f61
uscan info: Last orig.tar.* tarball version (dversionmangled): 0.0~git20240310.c2c6f61
uscan info: Requesting URL:
   https://api.github.com/repos/tscholl2/siec/git/matching-refs/tags/
uscan info: Scan finished

[coldtobi]

does this change break tracker.d.o detection of new upstream versions?

[ottok]

@coldtobi: This is a standard feature in uscan now and hence everything uscan does should continue to work, inluding upstream new version detection.

@guilherme-puida: Thanks for testing! Indeed the uscan v5 code path here is not working, I will test more this use case.

[guilherme-puida]

After some more thought, I think I disagree that the watch file is redundant. It needs to exist when:

1. Upstream does not tag releases (at least with the current implementation).
2. Upstream signs tags/commits and you want to check the signature.
3. You want to temporarily disable uscan with Untrackable: <reason>.
4. Probably other reasons I cannot think of right now...

Wouldn't it be better to still generate d/watch and use Template: Github so that changing any of the above would only require adding fields to d/watch instead of deleting Archive from d/u/metadata and creating a watchfile from scratch?

[ottok]

Actually the v5 template does not support checking neither signed tags nor detached signatures, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118381 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118383

There are 3 options:

1. Not having a watch file by default, and asking people to create one only if the default upstream/metadata:Archive feature does not work for the package

2. Having a watch file with GitHub template, e.g.

Version: 5
Template: Github
Dist: https://github.com/homeport/dyff

3. Having a watch file with similar contents as now, making it easy to customize and having all security features supported, e.g.:

Version: 5
Source: https://github.com/homeport/dyff.git
Matching-Pattern: refs/tags/@ANY_VERSION@
Git-Export: all
Mode: git
Pgp-Mode: gittag

I am maybe leaning on option 3 now..

[n-peugnet]

IMO your option 2. looks nice, but using Owner and Project feels more common than Dist. Keeping the watch file is important for me, as I often need to tweak it a bit, so it is nice to have something to start from.

So I would simply keep the generated watch files as they are, but update them to version 5 and switch to Github templates, and maybe simplify them a bit, for example using Uversion-Mangle: auto as it works fine for most Go packages.

IIRC currently the watch file is only generated for Github upstream right?

[ottok]

IIRC currently the watch file is only generated for Github upstream right?

Yes, the watch file is currently generated only for projects with github.com in their identifier.