Re: GroundZero (third party deb repository)

To: Debian Development <debian-devel@lists.debian.org>
Subject: Re: GroundZero (third party deb repository)
From: Christian Schwarz <schwarz@monet.m.isar.de>
Date: Thu, 12 Feb 1998 17:22:06 +0100 (CET)
Message-id: <[🔎] Pine.LNX.3.96.980212171747.6316G-100000@monet>
Reply-to: Christian Schwarz <schwarz@monet.m.isar.de>
In-reply-to: <[🔎] 87ra59notj.fsf@fleming.jimpick.com>

On 12 Feb 1998, Jim Pick wrote:

> Jason Gunthorpe <jgg@gpu.srv.ualberta.ca> writes:
> 
> > I just heard about GroundZero, a repository of experimental software, 
> > http://www.yggdrasil.com/test/GroundZero/
> > 
> > They provide their binaries in a number of forms, including .deb .. The
> > trouble is that they are using normal version numbers. I have stated
> > before that Deity depends on their being only one deb for each version,
> > having two debs called 1.3 that are not the same will cause problems.
> > 
> > Perhaps we should decide on some sort of policy regarding this?
> 
> I personally think it's just a case of "buyer beware".  I don't think
> Adam Richter of Yggdrasil is doing the repository with the expectation
> that people will be mixing packages via dpkg-ftp or deity.  They are
> going to be installing them manually using dpkg -i.  And those
> packages are definitely not going to be conforming to any sort of
> Debian policy.  If a user installs a non-Debian package using dpkg -i,
> and it screws up, that doesn't make us look bad, because it's his/her
> own fault.
[snip]

I agree. Note, that this topic has been discussed WRT the KDE packages on
debian-policy some time ago. We had a consensus that it doesn't make sense
to define a policy for non-Debian people, since we can't control what they
are releasing.

Thus, we had the idea of implementing the `Origin:' tag on the packages
which would, together with digitally signed packages, give our package
tools (dpkg, dselect, deity) a chance to check for packages which come
from another source--even if they use the same package name and/or
version.

Since we'll have the g10 package (a dfsg-free pgp replacement) soon,
perhaps we could use this for signing the packages. (Note, that this
package will also be non-us, unfortunately.)

How hard would it be to implement the Origin/g10-signature check for
deity?

Thanks,

Chris

--                  Christian Schwarz
                     schwarz@monet.m.isar.de, schwarz@schwarz-online.com,
Debian has a logo!    schwarz@debian.org, schwarz@mathematik.tu-muenchen.de

Check out the logo     PGP-fp: 8F 61 EB 6D CF 23 CA D7  34 05 14 5C C8 DC 22 BA
pages at  http://fatman.mathematik.tu-muenchen.de/~schwarz/debian-logo/

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: GroundZero (third party deb repository)
  - From: Jason Gunthorpe <jgg@gpu.srv.ualberta.ca>
- Re: GroundZero (third party deb repository)
  - From: Luis Francisco Gonzalez <luisgh@cogs.susx.ac.uk>

References:
- Re: GroundZero (third party deb repository)
  - From: Jim Pick <jim@jimpick.com>

Prev by Date: Re: Removing /usr/lib/sendmail
Next by Date: Re: mars has strange behaviour -- how to package?
Previous by thread: Re: GroundZero (third party deb repository)
Next by thread: Re: GroundZero (third party deb repository)
Index(es):
- Date
- Thread