On Thu, Apr 17, 2008 at 08:48:21AM +0100, Adam D. Barratt wrote: > Roberto C. Sánchez wrote, Thursday, April 17, 2008 2:24 AM > > > On Wed, Apr 16, 2008 at 04:25:46PM +0100, Matthew Johnson wrote: > >>do you have updated devscripts? debsign signs the dsc then updates the > >>md5 hash in the changes before signing that. It needs to update the sha > >>checks as well. The latest devscripts does. > > >Will the devscripts in stable be updated to handle this? If so, when? > >If not, why not? > > (If you're looking for an answer from the maintainers of a package it's > probably safer to ask them directly rather than assuming they read every > post on debian-devel; admittedly several of us do, but... :-) > > I'm not convinced it meets the SRM team's criteria for a stable update, as > laid out in http://release.debian.org/stable/4.0/4.0r3/ et al. > > 2.10.25 should migrate to testing over the weekend, so hopefully a bpo > package won't be too much longer. In the meantime it's fairly easy to > backport yourself, as several people have already done, or simply copy the > new script over from an unstable machine. Other than the update for the new > .changes file format, there have been relatively little changes to debsign > since the version in etch, and those have all been bugfixes. > IMO, that sort of misses the point. While I maintain quite a few packages in Debian, the only places I run unstable/testing are in one VM (for testing/reproducing/fixing bugs that I cannot reproduce in stable) and in some chroots. The point is that I should be able to build my packages inside of a pbuilder or other type of chroot, sign the package on my host system and be reasonably sure that my package will be accepted into the archive. If the archive software breaks compatibility with the current stable release of (insert name of whatever tool is affected, specifically devscripts in this case), then it looks bad on Debian. Now, I do occasionally use backports and I also backport things on my own when I need it. However, this is a change that affects every single DD who runs stable as a primary system (which I am certain is a significant number) and should be handled through official channels, such as a special "DSA" (or comparable since this is not really a security issue) or at the very least through a point release (however, those can be spaced rather far apart). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature