[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal: New source format (was Re: [Fwd: Re: dpkg question])

On May 10, Jim Pick wrote
> >  Why aren't sources packed into a single archive, the way rpms files
> > are?
> I think the reasoning is that each debian-revision consists of only 
> small changes and patches to the upstream sources, so why re-upload 
> the upstream sources.
> Personally, I think the whole Debian source packaging scheme needs
> a major overhaul.  Too often, the .orig.tar.gz part of the package
> gets separated from the .dsc and .diff.gz parts.  
> Plus, the naming convention of the .orig.tar.gz part requires ripping 
> apart the original upstream tarball and renaming everything.  This 
> means that if the .orig.tar.gz file gets lost (one package I took
> over is in this situation), it's almost impossible to retrieve the 
> upstream version, rename everything exactly as the original
> maintainer did, repack it, and have the same md5sum checksum.  

what about using the orginal upstrem version (the same file, byte by
byte), and having some additional information in the .dsc file (how to
extract the orginal file, from where it was downloaded, orginal md5sum,
rename commands if needed).

this would require a new way of handling dsc file (now thery are
generated), but that shouldn't be too hard.

the only change is : keep the original filename, or change it ?
(if it is changed, this change should be in the .dsc file).

commands in a .dsc file would also make it possible, to have N source
files converted to M packages, with everything documented in the .dsc
file (that is usefull for packages of many small programs. one example :
isdnutils constists of ca. 10 commands, put together as one unit
(isdnutils source file was "constructed" by me, because the original
upstream source file wasn't updated, but most individual packages), and
created 2 packages (isdnutils and xisdnutils)).

> Of course, this also means we cannot implement a automated system where 
> we can check the .orig.tar.gz files in our source distribution against
> the upstream source distributions (located on well known web sites).

in my way it should work. but creating diffs might be horrible ...

> Comments?

i don't know how good or bad this solution is, but if we make such a big
change, what about :
 - implementing source dependencies (this theme was discussed several
   times. if we have to change packages anyway...)
 - changing the whole mechanisms to auto compilations.

another topic : 
it will not help us to have secure debian packages, as long as we use a
source from sunsite mirrors etc. that might be changed. debian
should work together with all other distributions, fsf people and bsd
people to create a common way to make sure, that a packages was not
changed on the way from it's author to debian / linux comunity.  it's
one thing to trust a maintainer that his sources are ok, but it's a
different thing to trust a tar.gz that anybody could have created. 

regards, andreas

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: