[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Rejected: epcr_2.3.9-1.dsc: sha1 check failed

On Thu, Apr 17, 2008 at 08:48:21AM +0100, Adam D. Barratt wrote:
> Roberto C. Sánchez wrote, Thursday, April 17, 2008 2:24 AM
> On Wed, Apr 16, 2008 at 04:25:46PM +0100, Matthew Johnson wrote:
> >>do you have updated devscripts? debsign signs the dsc then updates the
> >>md5 hash in the changes before signing that. It needs to update the sha
> >>checks as well. The latest devscripts does.
> >Will the devscripts in stable be updated to handle this?  If so, when?
> >If not, why not?
> (If you're looking for an answer from the maintainers of a package it's 
> probably safer to ask them directly rather than assuming they read every 
> post on debian-devel; admittedly several of us do, but... :-)
> I'm not convinced it meets the SRM team's criteria for a stable update, as 
> laid out in http://release.debian.org/stable/4.0/4.0r3/ et al.
> 2.10.25 should migrate to testing over the weekend, so hopefully a bpo 
> package won't be too much longer. In the meantime it's fairly easy to 
> backport yourself, as several people have already done, or simply copy the 
> new script over from an unstable machine. Other than the update for the new 
> .changes file format, there have been relatively little changes to debsign 
> since the version in etch, and those have all been bugfixes.
IMO, that sort of misses the point.  While I maintain quite a few
packages in Debian, the only places I run unstable/testing are in one VM
(for testing/reproducing/fixing bugs that I cannot reproduce in stable)
and in some chroots.  The point is that I should be able to build my
packages inside of a pbuilder or other type of chroot, sign the package
on my host system and be reasonably sure that my package will be
accepted into the archive.  If the archive software breaks compatibility
with the current stable release of (insert name of whatever tool is
affected, specifically devscripts in this case), then it looks bad on

Now, I do occasionally use backports and I also backport things on my
own when I need it.  However, this is a change that affects every single
DD who runs stable as a primary system (which I am certain is a
significant number) and should be handled through official channels,
such as a special "DSA" (or comparable since this is not really a
security issue) or at the very least through a point release (however,
those can be spaced rather far apart).



Roberto C. Sánchez

Attachment: signature.asc
Description: Digital signature

Reply to: