[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: no-strong-digests-in-dsc MBF

Hi Matthias,

On Wed, 18 Jan 2017 00:31:44 Matthias Klumpp wrote:
> > The hashes inside the .dsc file are not used in Debian once the package
> > has
> > been accepted by dak.
> I do require them in Debian derivatives (Tanglu / PureOS) and .dsc
> files without the up-to-date signatures are quite a pain to handle. 

Remaking the hashes in the dscs on a few packages isn't going to fix the much 
wider signature problem, unfortunately. You're always going to have an 
exciting selection of signatures on both old and new packages that are hard to 
work with for the reasons already enumerated.

Without knowing your workflow for importing packages, does not the Sources 
index provide better and most importantly, signed information?

> > * The trustable way of getting the source package is with apt-get source,
> > when apt verifies the Release signature → hashes → Sources → hashes for
> > each part of the source package: dsc, orig.tar.gz, diff.gz/diff.tar.xz
> If you mirror Debian's archive into dak again, this becomes a problem,
> since dak (for good reason) will not import packages with weak
> checksums, so re-importing source packages is a challenge.

Ahh... and I  take it that's not configurable in dak. So reuploading the 
packages would solve half the problem (hashes) but not the other half 


Stuart Prescott    http://www.nanonanonano.net/   stuart@nanonanonano.net
Debian Developer   http://www.debian.org/         stuart@debian.org
GPG fingerprint    90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7

Reply to: