Hi! I saw plenty of debian developers who made non-official builds for friends, but made it public anyway. Nothing wrong with it, but they usually let everybody access the .changes file too, so others can check the originator. Nothing wrong with it? It's do bad, becouse in many cases some not-too-nice-guy might easily upload the whole build with the signed(!) changes file to an ftp-queue. Summarily: anybody can brake a debian package with a little conspiracy, and an ftp client. AFAIK, no one did nothing like this yet, but I think a new field should be added the .changes file which indicates the destination of the package. I say destination becouse we ought to keep the idea (like with the bugs) that if anybody wants, he do can create a debian-style distro, that's why 'Official: yes' is not the right way to implement this. I would propose something like 'Destination: Debian'. Of course this field won't be used by anything else but by the queue deamon to verify the package and do whatever it has to with it. If you reply the message please do Cc: me, becouse I am not subscribe to debian-devel@lists.debian.org . Regards, -- Lenart, Janos <ocsi@debian.org>
Attachment:
pgpER6FBcqUxM.pgp
Description: PGP signature