Re: no-strong-digests-in-dsc MBF
On Wed, 18 Jan 2017 00:31:44 Matthias Klumpp wrote:
> > The hashes inside the .dsc file are not used in Debian once the package
> > has
> > been accepted by dak.
> I do require them in Debian derivatives (Tanglu / PureOS) and .dsc
> files without the up-to-date signatures are quite a pain to handle.
Remaking the hashes in the dscs on a few packages isn't going to fix the much
wider signature problem, unfortunately. You're always going to have an
exciting selection of signatures on both old and new packages that are hard to
work with for the reasons already enumerated.
Without knowing your workflow for importing packages, does not the Sources
index provide better and most importantly, signed information?
> > * The trustable way of getting the source package is with apt-get source,
> > when apt verifies the Release signature → hashes → Sources → hashes for
> > each part of the source package: dsc, orig.tar.gz, diff.gz/diff.tar.xz
> If you mirror Debian's archive into dak again, this becomes a problem,
> since dak (for good reason) will not import packages with weak
> checksums, so re-importing source packages is a challenge.
Ahh... and I take it that's not configurable in dak. So reuploading the
packages would solve half the problem (hashes) but not the other half
Stuart Prescott http://www.nanonanonano.net/ email@example.com
Debian Developer http://www.debian.org/ firstname.lastname@example.org
GPG fingerprint 90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7