Comment 10 for bug 2045452

From https://mariadb.org/download/?t=mariadb&o=true&p=mariadb&r=10.3.39&os=source you can see that for mariadb-10.3.39.tar.gz the correct sha256sum is 18bd51c847565af4da18748b052ab9bcbb569ab6e6766ca8da7dcca1f941f876.

This matches what I have locally and what I used during packaging:

$ sha256sum mariadb-10.3_10.3.39.orig.tar.gz
18bd51c847565af4da18748b052ab9bcbb569ab6e6766ca8da7dcca1f941f876 mariadb-10.3_10.3.39.orig.tar.gz

$ gpg --verify mariadb-10.3_10.3.39.orig.tar.gz.asc
gpg: assuming signed data in 'mariadb-10.3_10.3.39.orig.tar.gz'
gpg: Signature made ma 8. toukokuuta 2023 21.20.29 CST
gpg: using RSA key 177F4010FE56CA3336300305F1656F24C74CD1D8
gpg: Good signature from "MariaDB Signing Key <email address hidden>" [full]

I imported upstream with uscan so all this validation was automatic anyway.

This is also what I get from a clean gbp-build using gbp 0.9.19 on Ubuntu 20.04.

I have double checked my local git and remote is synced.

I even downloaded the git repository from Salsa to a temporary directory and ran git-buildpackage to produce the source package both using the Focal and Debian Sid versions, and I am unable to reproduce the xdelta bug you saw with the umt builder.