Hi, Quoting MOESSBAUER, Felix (2025-10-24 11:50:28) > We further got the hint by @pkern (thanks for that!), that a name+version > might not be sufficient to precisely identify a package (at least not across > archives). By that, we also need checksums to ensure that a package we later > lookup is actually the one we had at time of "scanning". yes. This is tracked as this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072205 I have not yet heard an argument against somehow trying to make sure that packages should not have the property of being unique by their name/version/arch triplet. We just still lack the tooling to make sure that new packages do not violate this principle. Thanks! cheers, josch P.S.: Holger made me aware of this thread via IRC and I haven't seen any mention of above bug yet, so here it goes. :)
Attachment:
signature.asc
Description: signature