[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: changes file format

Ian Murdock writes ("Re: changes file format"):
> I don't think we should mandate that a script exist somewhere to parse
> the machine-readable format and generate a human-readable format from
> it, when we could just as easily have a format that is both human- and
> machine-readable and that does not require this extra step.

I agree that it's an ugly way of doing things, but it seems that Bruce
is happier with it and he's the person who's going to have to be using
these things (the machine-readable ones).

> We *must*, however, have a script that maintainers can use to generate
> announcements.  dchanges could be adapted to generate a human-readable
> format instead of the currently-used format.  At the moment, the format
> it uses appears to contain all of the right information, but it doesn't
> arrange it in a manner that is easily readable by humans.

That would please me, obviously.

> And while I do agree that it would be a good idea for the archive
> maintainer (me) to moderate debian-changes to prevent announcements
> from  being distributed before the announced package is moved into
> public view, I must urge restraint in automating the process.  All
> packages should be inspected and moved into the distribution by a
> human.  I am strongly of that opinion.

I agree.

I still think an `unmoderated' version of debian-changes would be

Bruce Perens writes ("Re: changes file format "):
> imurdock@debian.org said:
> > At the moment, I have to run a special script to convert the dchanges 
> > md5sum format into a format that md5sum -c can understand.  This is a 
> > pain.
> I'd like to point out that "dpkg" should verify the package for the end-user.
> Someone who doesn't know how to write a script should not ever have to run
> "md5sum" on a package.

This is true.  The problems are public key distribution, and public
key software at the user's end.  In order for checking the MD5 to be
meaningful we have to put a digital signature on it, and basically I
think we want RSA.  We therefore need *something* at the user's end
that can do an RSA signature verification.


Reply to: