Re: Decision on leaving upstream tar files untouched?
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 14 Mar 1997, Bruce Perens wrote:
> I have determined by reading the lists that we have a consensus that
> the original, unmodified source tar archive should be part of the
> source package wherever possible. Our V.P. engineering seems to be in
> agreement with this. The changes should be made to the policy manual and
> the programs involved if they have not already been made.
I'm very sceptical that this the right time for this change. I don't see
that the benefits would compare to the effort need to change all our
packages.
AFAIK the only advantage we get out of this change, is that we get check
if the upstream source is the one the author announced (through md5sum
checks). Right now, the maintainer could easily do this. And we have to
trust all our maintainers anyways, since they could "hack" the source code
with the .diff.gz file they upload.
If we make that change now, we would have to set the Policy Manual's
version number to 3.0.0.0, since this change affects _all_ our packages.
Note that we haven't converted all packages to 2.x.x.x yet.
I would vote for delaying this change until Ian (or someone else) has
implemented the concept about signing the packages. It would be nice if
this could be done early in the 2.0 development phase. We could change
the policy with the .orig.tar.gz files _then_ and update the necessary
dpkg-dev tools.
Thanks,
Chris
- -- Christian Schwarz
schwarz@monet.m.isar.de, schwarz@debian.org,
schwarz@mathematik.tu-muenchen.de, bm955877@muenchen.org
PGP-fp: 8F 61 EB 6D CF 23 CA D7 34 05 14 5C C8 DC 22 BA
CS Software goes online! Visit our new home page at
http://www.schwarz-online.com
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: latin1
iQCVAwUBMyqZ5E4c72jvRVaFAQHoTgP9G4rBp2lXtP9f8g93c4k47K22qGi3nHXS
DxJukmIqGJyfXdHewg/29HXgpTCfawCVt7UrXMgCfGe//JsZ8hJ48LJ44CTy5I4Y
dk3BwPaOpykAwZgjG7Iwf+/CHOWEj5VXvBPwQKqkP4kEyXOovtq6ILg45VJon8U8
tnr0eREzglg=
=wPLY
-----END PGP SIGNATURE-----
Reply to: