Re: Re: Debian: what precisely identifies a source package

To: "MOESSBAUER, Felix" <felix.moessbauer@siemens.com>
Cc: "rb-general@lists.reproducible-builds.org" <rb-general@lists.reproducible-builds.org>, "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>, "Steiger, Christoph" <christoph.steiger@siemens.com>, "Kiszka, Jan" <jan.kiszka@siemens.com>, "josch@debian.org" <josch@debian.org>, "pkern@debian.org" <pkern@debian.org>
Subject: Re: Re: Debian: what precisely identifies a source package
From: Adrian Bunk <bunk@debian.org>
Date: Thu, 30 Oct 2025 14:52:11 +0200
Message-id: <[🔎] aQNfe4uXY+quV+Ke@localhost>
In-reply-to: <[🔎] 1bac4ed9469cb0db956ede1b800aeed3c002da02.camel@siemens.com>
References: <[🔎] 176132148188.1403192.15696897246905530967@localhost> <[🔎] 1bac4ed9469cb0db956ede1b800aeed3c002da02.camel@siemens.com>

On Mon, Oct 27, 2025 at 09:38:04AM +0000, MOESSBAUER, Felix wrote:
>...
> Regarding checksums: I'm wondering if the uniqueness of
> name/version/arch triplets just refers to the content of a package, or
> also to the .dsc file with its signature. IOW: Should it be allowed to
> re-sign a .dsc file without changing the version? Here, I'm also
> considering the case that a package is copied from debian-security to
> debian.

This shouldn't happen.

Importing packages from debian-security to (old)stable is basically an 
upload, and you need the signature of the uploader for that.

When you download a source package from Ubuntu that does not have 
"ubuntu" or "build" in the version string, the .dsc still contains
the signature that was used for uploading it to Debian.

> Maybe that could be documented as well, in case the decision is made.
>...

I don't think anything needs a decision, what is missing are checks in 
tooling that would result in a rejection of the upload.

> Felix

cu
Adrian

Reply to:

Follow-Ups:
- Re: Debian: what precisely identifies a source package
  - From: Philipp Kern <pkern@debian.org>

References:
- Re: Debian: what precisely identifies a source package
  - From: Johannes Schauer Marin Rodrigues <josch@debian.org>
- Re: Re: Debian: what precisely identifies a source package
  - From: "MOESSBAUER, Felix" <felix.moessbauer@siemens.com>

Prev by Date: Re: MBF: packages not using the default build flags
Next by Date: Re: Debian: what precisely identifies a source package
Previous by thread: Re: Re: Debian: what precisely identifies a source package
Next by thread: Re: Debian: what precisely identifies a source package
Index(es):
- Date
- Thread