[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal: New source format (was Re: [Fwd: Re: dpkg question])

[ Please don't Cc: public replies to me. ]

Jim Pick:
> That way, the unzip package would have to be installed before you could
> use the package.  Elegant, eh?  And it's already implemented inside
> dpkg.

I don't think so. The point of keeping an unmodified copy of the
upstream sources is to increase security by allowing PGP-signatures
and whatnot to work. If you then run random, unknown programs to unpack
the package, you're throwing away any security gained, and more. You
also make it unnecessarily difficult to unpack source packages on
non-Debian systems.

The upstream PGP-signatures needs to be solved in another way.

> shell statements inside the debian/rules makefile would be able to 
> retrieve them and unpack them.

This is what I'm quite determined to avoid. I do _not_ want to
depend on Debian maintainers being infallible and non-malicious,
at least not so much that I can't even unpack a Debian source
package without endangering my system.

If Red Hat does this, they're broken.

> I didn't.  Please re-read my proposal (more slowly this time).  :-)

Klee did. I wasn't commenting your proposal in particular.
(Anyway, I'd rather start with an explicit list of problems
with the current system than an implicit list derived from the
suggestions and a flood of messages on the topic.)

> Klee favours having a simple .sdeb and no upstream .upsdeb's.  I think
> we need to debate this some more.

Well, my mind's decided. Bandwidth costs, cross-Atlantic especially,
and the trivial inconvenience of having three files instead of one
is very well worth it in real money.

> I think you missed the point -- this system enables a single source
> tree.

The current system can be a single tree as well (put all source
packages in one directory, and do a loop with "dpkg-source -x",
and "dpkg-buildpackage -rsudo -uc -us"), but both systems are
pretty far from the BSD source tree, I think.

But that's beside my point -- there's so much other work to
do at the moment that I don't think big changes the source
packaging format at this point will improve things.

> Actually, I think the scheme I proposed is actually very incremental,

It would change all source package file formats, and all tools
relevant to source packaging, and would require our developers
to learn to deal with a third source packaging format. A bit
too much of an increment for me. :-)

Please read <http://www.iki.fi/liw/mail-to-lasu.html> before mailing me.
Please don't Cc: me when replying to my message on a mailing list.

Attachment: pgpWcIsfeLN6x.pgp
Description: PGP signature

Reply to: