[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: New field proposed, UUID

> -----Original Message-----
> From: Sean 'Shaleh' Perry [mailto:shaleh@valinux.com]
> > Your UUID is the pkg+version+arch.  From my viewpoint it's 
> as simple as
> > that.  Maybe the official policy needs to be updated so 
> that it is clear
> > that any change to the binary packages, including just 
> compile time changes,
> > requires a version update?  That way you could change your 
> "sigs" as often
> > as you'd like but you would know that a particular build 
> was a particular
> > build.
> Ben neglected to talk about the signing policy ....
> You compile your package and upload it (signed by you) to 
> unstable.  6 months
> later, when we are ready to release the Release Manager has a 
> Release Key and
> the packages themselves are signed by this key.  Using 
> md5sums fail here
> because the contents of the deb have changed (the sig was 
> added).  The version
> number should not be bumped because there is no packaging change.

Sorry, I'm not a Debian developer so honestly don't know all the policies or
processes behind making debs.  But, it seems clear to me that if you use the
pkg+version+arch as your UUID then a change in the md5sum caused by adding a
signature would not effect the "UUID" and therefore be moot.  When I say any
change in the "binary package" I mean any change in the binary files that
get installed when the package is installed.  I'm not talking about a change
in the deb file itself.

Or am I totally confused?

Fred Reimer
Eclipsys Corporation

Reply to: