Re: Problems with the current source packaging scheme

To: Lars Wirzenius <liw@iki.fi>
Cc: debian-devel@lists.debian.org
Subject: Re: Problems with the current source packaging scheme
From: Jim Pick <jim@jimpick.com>
Date: Sun, 11 May 1997 17:10:44 -0700
Message-id: <[🔎] 199705120010.RAA10373@fleming.jimpick.com>
In-reply-to: Your message of "Mon, 12 May 1997 00:42:42 +0300." <[🔎] m0wQgOB-000AobC@liw.clinet.fi>

Thanks for the write-up, Lars.  Time for me to comment.

Hopefully, we can keep the discussion constructive...   :-)

> * .orig.tar.gz gets separated from .dsc and .diff.gz, and may get lost

Well, they shouldn't get lost - but sometimes they are legitimately there,
and sometimes they are legitimately not there -- so if they accidentally
get cleaned, it's hard to spot.
 
> * upstream sources not preserved bit-for-bit; need to be repackage, which
>   can destroy upstream digital signatures, and makes it more difficult to
>   check that .orig.tar.gz and upstream sources are the same

The only reason they currently get repackaged is so that they can be easily
stored in the archive.  If we just "wrap" them in something else, it 
accomplishes the same objective without being so darn destructive.
 
> * no automated way to check .orig.tar.gz files against upstream distribution
>   (located on well known web sites), or upstream digital signature, if any

See previous comment.
 
> * Debian packages are not PGP-signed by the Debian maintainer, except via the
>   .dsc file.

Maybe we need a new version of the .deb file format?

ie.

$ ar t jdk1.1-runtime_1.1.1-1_i386.deb 
debian-binary
control.tar.gz
data.tar.gz

Just add another file to it called "pgp-md5sum" which is just the 
md5sum of control.tar.gz concatenated to data.tar.gz and pgp signed.
Plus increment the debian-binary version number to 3.0.
 
> * no way to automatically retrieve the upstream source package, or its
>   updates

If dpkg/dselect/diety could handle source packages as well as binary packages,
this could work.
 
> * no dependencies for source packages

If we had these, we might eventually be able to mandate that source packages
must be buildable out-of-the box (providing the dependencies are satisfied).
This would ensure that we have a buildable global source tree.
 
> * binary files are handled badly

How so?
 
> * upstream sources sometimes come in many different files
>
> * building a binary package requires running as root

I don't really see this as an issue -- that is, until dpkg allows people to
install files while not running as root.

I hope I was constructive...  :-)

Cheers,

 - Jim

Attachment: pgpnTgQmfEQXb.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Problems with the current source packaging scheme
  - From: Manoj Srivastava <srivasta@datasync.com>

References:
- Problems with the current source packaging scheme
  - From: Lars Wirzenius <liw@iki.fi>

Prev by Date: Re: Proposal: New source format (was Re: [Fwd: Re: dpkg question])
Next by Date: Re: Proposal: New source format (was Re: [Fwd: Re: dpkg question])
Previous by thread: Re: Problems with the current source packaging scheme
Next by thread: Re: Problems with the current source packaging scheme
Index(es):
- Date
- Thread