Re: Updated proposal for improving the FTP NEW process

To: debian-devel@lists.debian.org
Subject: Re: Updated proposal for improving the FTP NEW process
From: Adrian Bunk <bunk@debian.org>
Date: Thu, 12 Apr 2018 21:24:17 +0300
Message-id: <[🔎] 20180412182417.GR9516@localhost>
In-reply-to: <[🔎] 87sh81tpxc.fsf@hope.eyrie.org>
References: <1893013.LmmmIjQQCK@kitterma-e6430> <87k1uqw649.fsf@iris.silentflame.com> <1540879.qCIL3hyMBs@kitterma-e6430> <23198.45303.423178.598929@chiark.greenend.org.uk> <20180306165455.ogyieokxwilpszbo@angband.pl> <20180306234052.uqfem23s3fa7vjc7@layer-acht.org> <[🔎] 20180406185213.GU9516@localhost> <[🔎] 23243.27015.821873.699982@chiark.greenend.org.uk> <[🔎] 20180411191857.GL9516@localhost> <[🔎] 87sh81tpxc.fsf@hope.eyrie.org>

On Wed, Apr 11, 2018 at 02:05:03PM -0700, Russ Allbery wrote:
> Adrian Bunk <bunk@debian.org> writes:
> 
> > Imagine tomorrow a random person from the internet noone has ever heard
> > of uploads a package dgit 5.0 to mentors.d.n.
> 
> > It is clear that this would not be sponsored.
> 
> > "detected by tooling" would mean that this would result in dak
> > autorejecting any future uploads of a dgit package version 5.0 to
> > Debian.
> 
> This sounds like a feature?  I think that would be exactly the right
> outcome.  It avoids any possibility of confusion with this rogue 5.0
> version, if it should turn up somewhere else.

Debian version numbers are usually not globally unique.

The binary packages of dgit 4.3 in Debian and Ubuntu are different 
builds from the same sources, and for binary-any packages such
different builds usually have different contents.[1]

And more common is actually the reverse problem of someone publishing
a different 5.0 after a 5.0 is already in our archive (usually by
making modifications without changing the version number).

> Version numbers are composed of integers.  Getting another integer is
> free, and there is not a limited supply.  We won't run out, and missing
> sequence numbers cause no problems in the world.

Giving every person on the internet the power to steal version numbers
for random packages would be dangerous.

There's implicit meaining behind version numbers, like debhelper 12
being the first version where compat 12 will be stable.

Apart from obvious (scripted) DoS for taking all reasonable numbers for 
a package, it would also e.g. encourage derivates to steal Debian 
version numbers instead of using a proper namespace.[2]

Versions of packages that are accepted into our archive must be unique, 
but random people from the internet should not have the power to 
restrict what a maintainer can do in Debian.

cu
Adrian

[1] e.g. different Debian revisions of gcc usually generate slightly
    different code
[2] e.g. using 1.0-2 instead of 1.0-1devuan, resulting in an
    improved dak autorejecting a maintainer upload of 1.0-2

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

Follow-Ups:
- Re: Updated proposal for improving the FTP NEW process
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Re: Updated proposal for improving the FTP NEW process
  - From: Adrian Bunk <bunk@debian.org>
- Re: Updated proposal for improving the FTP NEW process
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Updated proposal for improving the FTP NEW process
  - From: Adrian Bunk <bunk@debian.org>
- Re: Updated proposal for improving the FTP NEW process
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Bug#515856: Debian Policy 4.1.4.0 released
Next by Date: Re: Bug#895246: gconf: Intent to Adopt
Previous by thread: Re: Updated proposal for improving the FTP NEW process
Next by thread: Re: Updated proposal for improving the FTP NEW process
Index(es):
- Date
- Thread