Re: Packaging audit trail mechanism (was: Ubuntu and its "appropriation" of Debian maintainers)

To: debian-devel@lists.debian.org
Subject: Re: Packaging audit trail mechanism (was: Ubuntu and its "appropriation" of Debian maintainers)
From: Matt Zimmerman <mdz@debian.org>
Date: Thu, 5 May 2005 11:53:15 -0700
Message-id: <[🔎] 20050505185315.GG25438@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 625a0e6505050502224cac6c70@mail.gmail.com>
References: <42743211.5000908@galacticasoftware.com> <[🔎] 20050501094019.GC3457@djpig.de> <[🔎] 20050501191014.GB17528@debian.org> <[🔎] 20050501193657.GS10453@mails.so.argh.org> <[🔎] 20050501202359.GD29865@alcor.net> <[🔎] 20050502184644.GB9914@finlandia.infodrom.north.de> <[🔎] 20050502220610.GR29865@alcor.net> <[🔎] 625a0e6505050502224cac6c70@mail.gmail.com>

On Thu, May 05, 2005 at 02:22:48AM -0700, Michael K. Edwards wrote:

> Personally, when I rebuild a package that might get handed to someone
> else -- even if I didn't touch the source, but am rebuilding in a
> known environment so I can reproduce it later -- I change the
> Maintainer field to an e-mail address that reaches me, and add a
> debian/changelog entry with an explanation of why it was rebuilt and
> an appropriate suffix on the version number.  Otherwise, I'm risking:

I understand your motivation, but I don't think this is practical when
working on the scale of an entire distribution.  A key reason why many new
distributions derive from an existing one is that they can use most of the
packages unchanged, and modify only the ones which are interesting in the
light of their particular goals.

> When I am distributing unaltered Debian source packages alone, or
> bit-exact copies of Debian binary packages, I don't worry as much
> about these things.  Actually, in principle I ought to have a cache of
> the source packages associated with all binary packages I distribute,

You should definitely maintain a copy of the source, in order to be able to
meet licensing obligations.

> If I had Ubuntu's resources, I'd handle it differently.  Relying on
> people (or even an automated process) to touch up debian/control and
> debian/changelog on rebuild is so 1990's.  A Debian upload isn't
> acceptable without a signed changes file, and an autobuilt package
> doesn't make it onto ftpmaster without a signed buildd log (as I
> understand it, anyway).  Soon it will be practical to install only
> signed binary packages (what gets signed in apt 0.6, actually?
> md5sums?) on a Debian / Debian-derived system.  I would like to see
> all binary packages accompanied by information equivalent to the
> contents of a changes file, signed in a way that allows bug reporting
> tools to check the chain of trust and choose a bug report destination
> accordingly.

apt 0.6 authenticates package archives (via the Release file); it won't
provide a basis for this kind of functionality.

-- 
 - mdz

Reply to:

References:
- Re: Ubuntu and its "appropriation" of Debian maintainers
  - From: Frank Lichtenheld <djpig@debian.org>
- Re: Ubuntu and its "appropriation" of Debian maintainers
  - From: James Treacy <treacy@debian.org>
- Re: Ubuntu and its "appropriation" of Debian maintainers
  - From: Andreas Barth <aba@not.so.argh.org>
- Re: Ubuntu and its "appropriation" of Debian maintainers
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Ubuntu and its "appropriation" of Debian maintainers
  - From: Martin Schulze <joey@infodrom.org>
- Re: Ubuntu and its "appropriation" of Debian maintainers
  - From: Matt Zimmerman <mdz@debian.org>
- Packaging audit trail mechanism (was: Ubuntu and its "appropriation" of Debian maintainers)
  - From: "Michael K. Edwards" <m.k.edwards@gmail.com>

Prev by Date: Re: debian sarge is 3.2 or 4 ?
Next by Date: Re: Is Petr Cech <cech@debian.org> MIA?
Previous by thread: Packaging audit trail mechanism (was: Ubuntu and its "appropriation" of Debian maintainers)
Next by thread: Re: Ubuntu and its "appropriation" of Debian maintainers
Index(es):
- Date
- Thread