Why multiple versions of debian packages?

To: debian-www@lists.debian.org
Subject: Why multiple versions of debian packages?
From: Marty <martyb@ix.netcom.com>
Date: Sun, 27 Mar 2005 15:33:46 -0500
Message-id: <[🔎] 424718AA.6080608@ix.netcom.com>

I have a few questions about your debian archives which I would appreciate your finding
the time to answer.  This issue has puzzled me for a long time and I've finally decided to
get to the bottom of the mystery.

Did you know your site has multiple versions of identically named debian packages?  What is
the function and purpose of the different versions and why do they have the same name?

Unless I'm missing something, at best this seems confusing and misleading, and bad policy.
For one thing, I (and perhaps others) hope to use all the checksums for an added measure of
security.  Having multiple versions of packages is problematic in that respect, because
it muddies the waters and makes automatic checking, using the checksums, difficult to
impossible (especially for cases like bugzilla, where the versions differ even for the
security updates).

On the other hand, if the purpose of the checksum is, as I had presumed, to uniquely
identify package files, and if it is therefore *intended* to support my effort to use the
checksums for security purposes, including automatic integrity checking, then this implies
that there are problems with the following packages:

eeecdf87dc2cdc4fdf647c1ee869f089  ./debian/pool/main/b/bugzilla/bugzilla-doc_2.14.2-0woody4_all.deb
e5a29f1080514b0a2d4f67089b33684d  ./debian/pool/main/b/bugzilla/bugzilla_2.14.2-0woody4_all.deb
ef08e1d090904b2a5c4ee7922a4dfb82  ./debian-security/pool/updates/main/b/bugzilla/bugzilla-doc_2.14.2-0woody4_all.deb
af4eb24523d99a3cc0b334bf2914621a  ./debian-security/pool/updates/main/b/bugzilla/bugzilla_2.14.2-0woody4_all.deb

37397d1efd3cc573675b303244b3ee71  ./debian/pool/main/p/postgresql-7.4/libpq3_7.4.7-2_i386.deb
f8497089698e3127152034b7bec97324  ./debian/pool/main/p/postgresql/libpq3_7.4.7-2_i386.deb

5198221164c9193e937b7fa6fc0cc73c  ./debian-security/pool/updates/main/v/vbox3/vbox3_0.1.7.1_i386.deb
bb9a8a71d32904d51394c300b75111b7  ./debian/pool/main/v/vbox3/vbox3_0.1.7.1_i386.deb

5149e1dbfed225372c3eeb218b85b055  ./debian-marillat/dists/stable/main/binary-i386/libdts-dev_0.0.2-svn-1_i386.deb
821b2fc02375de2d45f025a629af29c4  ./debian/pool/main/libd/libdts/libdts-dev_0.0.2-svn-1_i386.deb

(The later is mentioned because it's unclear which web site has the correct version.)

Marty

Reply to:

Follow-Ups:
- Re: Why multiple versions of debian packages?
  - From: Michelle Konzack <linux4michelle@freenet.de>

Prev by Date: Incomplete Makefile dependencies
Next by Date: Re: phonetic transcription of debian?
Previous by thread: Re: Incomplete Makefile dependencies
Next by thread: Re: Why multiple versions of debian packages?
Index(es):
- Date
- Thread