[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

idea: new field for the .changes file


I saw plenty of debian developers who made non-official builds for
friends, but made it public anyway. Nothing wrong with it, but they
usually let everybody access the .changes file too, so others can check
the originator. Nothing wrong with it? It's do bad, becouse in many
cases some not-too-nice-guy might easily upload the whole build with the
signed(!) changes file to an ftp-queue. Summarily: anybody can brake a
debian package with a little conspiracy, and an ftp client.

AFAIK, no one did nothing like this yet, but I think a new field should
be added the .changes file which indicates the destination of the
package. I say destination becouse we ought to keep the idea (like with
the bugs) that if anybody wants, he do can create a debian-style distro,
that's why 'Official: yes' is not the right way to implement this. I
would propose something like 'Destination: Debian'. Of course this field
won't be used by anything else but by the queue deamon to verify the
package and do whatever it has to with it.

If you reply the message please do Cc: me, becouse I am not subscribe to
debian-devel@lists.debian.org .

Lenart, Janos

Attachment: pgpER6FBcqUxM.pgp
Description: PGP signature

Reply to: