Re: Debian: what precisely identifies a source package

[Philipp Kern <pkern@debian.org>]

On 2025-10-30 13:52, Adrian Bunk wrote:
> On Mon, Oct 27, 2025 at 09:38:04AM +0000, MOESSBAUER, Felix wrote:
> > ...
> > Regarding checksums: I'm wondering if the uniqueness of
> > name/version/arch triplets just refers to the content of a package, or
> > also to the .dsc file with its signature. IOW: Should it be allowed to
> > re-sign a .dsc file without changing the version? Here, I'm also
> > considering the case that a package is copied from debian-security to
> > debian.
>
> This shouldn't happen.
>
> Importing packages from debian-security to (old)stable is basically an
> upload, and you need the signature of the uploader for that.

Because it is, it can change because it might need resigning because the 
original signer's key might not (currently) be valid at the point of 
copy.

Kind regards
Philipp Kern