maybe a (long-term) solution to the translations problem and others
after catching up on the DDTP thread I think I also need to say something
First, I think having translations outside of .debs is bad. Second, I also
think that relying on maintainers for updating is bad.
The logical consequence (and yes, it's a technical solution to a social
problem) for me is that we should give up the idea that a .deb has a single
uploader. Since a .deb is an ar archive, it could be put together from
various sources when it is being installed into the archives, where each
source signs their parts of the file. For example, I could think of the
$ ar tv foo.deb
control.tar.gz # signed by the maintainer
control-de.tar.gz # signed by the translation team
data.tar.gz # signed by the maintainer
That way, translations could be added without a reupload and without
breaking any signatures besides the one the maintainer used in his
*.changes file (but that one isn't needed anymore, since the packages now
contain signatures themselves). A developer can, of course, enforce his own
translations by providing them in his upload.
Transition to this should also be rather easy as the new .debs are
compatible with older dpkg (provided it ignores the extra members in the
deb, which I haven't checked), however you won't see the translations until
you switch to a recent dpkg.
As a nice extra we get signed .debs. :-) I can also think of having
data-de.tar.gz containing the German .mo files, manpages and stuff, so we
have a standardized way for leaving them out at install time if a user
doesn't need them.
A big minus is that signing each individual archive member will require the
developer to enter his passphrase several times until someone writes a
wrapper around gpg that asks once and signs multiple files.
Unless someone finds a big problem, I'm going to hack up a real proposal on
Monday and post it here.