Thanks for the write-up, Lars. Time for me to comment. Hopefully, we can keep the discussion constructive... :-) > * .orig.tar.gz gets separated from .dsc and .diff.gz, and may get lost Well, they shouldn't get lost - but sometimes they are legitimately there, and sometimes they are legitimately not there -- so if they accidentally get cleaned, it's hard to spot. > * upstream sources not preserved bit-for-bit; need to be repackage, which > can destroy upstream digital signatures, and makes it more difficult to > check that .orig.tar.gz and upstream sources are the same The only reason they currently get repackaged is so that they can be easily stored in the archive. If we just "wrap" them in something else, it accomplishes the same objective without being so darn destructive. > * no automated way to check .orig.tar.gz files against upstream distribution > (located on well known web sites), or upstream digital signature, if any See previous comment. > * Debian packages are not PGP-signed by the Debian maintainer, except via the > .dsc file. Maybe we need a new version of the .deb file format? ie. $ ar t jdk1.1-runtime_1.1.1-1_i386.deb debian-binary control.tar.gz data.tar.gz Just add another file to it called "pgp-md5sum" which is just the md5sum of control.tar.gz concatenated to data.tar.gz and pgp signed. Plus increment the debian-binary version number to 3.0. > * no way to automatically retrieve the upstream source package, or its > updates If dpkg/dselect/diety could handle source packages as well as binary packages, this could work. > * no dependencies for source packages If we had these, we might eventually be able to mandate that source packages must be buildable out-of-the box (providing the dependencies are satisfied). This would ensure that we have a buildable global source tree. > * binary files are handled badly How so? > * upstream sources sometimes come in many different files > > * building a binary package requires running as root I don't really see this as an issue -- that is, until dpkg allows people to install files while not running as root. I hope I was constructive... :-) Cheers, - Jim
Attachment:
pgpnTgQmfEQXb.pgp
Description: PGP signature