Florian Weimer wrote: > * Anthony Towns: > > > 5) The intial policy for the use of the Debian Maintainer keyring with the > > Debian archive will be to accept uploads signed by a key in that keyring > > provided: > > > > * none of the uploaded packages are NEW > > > > * the Maintainer: field of the uploaded .changes file matches the > > key used (ie, maintainers may not sponsor uploads) > > > > * none of the packages are being taken over from other source packages > > > > * the most recent version of the package uploaded to unstable > > or experimental lists the uploader in the Maintainer: or Uploaders: > > fields (ie, cannot NMU or hijack packages) > > > > * the usual checks applied to uploads from Debian developers pass > > I suppose their should be checks for unchanged "Provides:" and > "Replaces:" lines, too. (Not sure about "Enhances:".) There are an infinite number of ways to divert or break files from another package. AFAICS, the checks in the abovequoted portion of aj's proposal are not meant to address such things (that's covered by the bit about DMs being malicious or generally bad). -- see shy jo
Attachment:
signature.asc
Description: Digital signature