Re: Packaging audit trail mechanism (was: Ubuntu and its "appropriation" of Debian maintainers)
On Thu, May 05, 2005 at 02:22:48AM -0700, Michael K. Edwards wrote:
> Personally, when I rebuild a package that might get handed to someone
> else -- even if I didn't touch the source, but am rebuilding in a
> known environment so I can reproduce it later -- I change the
> Maintainer field to an e-mail address that reaches me, and add a
> debian/changelog entry with an explanation of why it was rebuilt and
> an appropriate suffix on the version number. Otherwise, I'm risking:
I understand your motivation, but I don't think this is practical when
working on the scale of an entire distribution. A key reason why many new
distributions derive from an existing one is that they can use most of the
packages unchanged, and modify only the ones which are interesting in the
light of their particular goals.
> When I am distributing unaltered Debian source packages alone, or
> bit-exact copies of Debian binary packages, I don't worry as much
> about these things. Actually, in principle I ought to have a cache of
> the source packages associated with all binary packages I distribute,
You should definitely maintain a copy of the source, in order to be able to
meet licensing obligations.
> If I had Ubuntu's resources, I'd handle it differently. Relying on
> people (or even an automated process) to touch up debian/control and
> debian/changelog on rebuild is so 1990's. A Debian upload isn't
> acceptable without a signed changes file, and an autobuilt package
> doesn't make it onto ftpmaster without a signed buildd log (as I
> understand it, anyway). Soon it will be practical to install only
> signed binary packages (what gets signed in apt 0.6, actually?
> md5sums?) on a Debian / Debian-derived system. I would like to see
> all binary packages accompanied by information equivalent to the
> contents of a changes file, signed in a way that allows bug reporting
> tools to check the chain of trust and choose a bug report destination
apt 0.6 authenticates package archives (via the Release file); it won't
provide a basis for this kind of functionality.