Hello Philipp,
On Tue, Feb 02, 2010 at 08:24:23PM +0100, Philipp Kern wrote:
> On Tue, Feb 02, 2010 at 07:15:01PM +0100, Helge Kreutzmann wrote:
> > Obviously different from previous updates this page is out of date. I
> > was almost considering stopping the update when I checked
> > http://packages.qa.debian.org/XXX instead (how am I to know that this
> > page is correct???).
>
> What are you checking on upgrade? If it's for integrity: point releases are
> signed with an offline key in addition to the normal archive key. So you
> can check Release based on Release.gpg and there's then a defined trust
> path.
Essentially it is a second check for integrity (call me paranoid, but
I'd like to match the version apt-listchanges displays me to the one I
obtained via a different path). It's also a delayed QA, once or twice
I caught a typo in a DSA this way.
I'm well aware about the trust path and the risks mitigated/involved
in the signing process and do not question it.
> The mail to debian-announce[1] might not list the versions but it does list
> the changes introduced. And you should be able to find the concrete
> changelogs a) in the package through apt-listchanges and b) on
> packages.qa.d.o.
Yes, I could compare the changes also, but this is more tedious than
version numbers (e.g. for linux-2.6).
And up to now the similar sounding site http://packages.debian.org
also showed the latest version, which is not the case now. This time
only packages.qa.d.o show the latest version, and then sometimes in
the category "stable" and sometimes in "stable-sec" (I don't know if
that was the case previously as well).
> I'm happy to adjust the process, however it's difficult to get all people
> involved present and awake for the whole timespan of a point release.
>
> (I.e. we started at about 19 UTC and finshed at 23:30 UTC. The mirror
> push was supposed to happened after the next dinstall at 01:52 UTC.
> Due to a glitch the actual sync only happened after the ftp-master was
> awake again at 9:30 UTC. And the press release came in even later, too.
> So not everything worked as expected on this one.)
I'm not detailed in the process (thanks for the explanation) and I
just made a suggestion in my intial mail about a possible improvement.
So if this unfortunate incident happend because of one time glitches,
no problem, but this still would not explain why
http://packages.debian.org is outdated.
So essentially there should be a canonical reliable way to obtain the
version numbers.
Greetings
Helge
--
Dr. Helge Kreutzmann debian@helgefjell.de
Dipl.-Phys. http://www.helgefjell.de/debian.php
64bit GNU powered gpg signed mail preferred
Help keep free software "libre": http://www.ffii.de/
Attachment:
signature.asc
Description: Digital signature