Re: New field proposed, UUID
On Wed, Nov 29, 2000 at 04:12:39PM -0800, Sean 'Shaleh' Perry wrote:
> > Your UUID is the pkg+version+arch. From my viewpoint it's as simple as
> > that. Maybe the official policy needs to be updated so that it is clear
> > that any change to the binary packages, including just compile time changes,
> > requires a version update? That way you could change your "sigs" as often
> > as you'd like but you would know that a particular build was a particular
> > build.
>
> Ben neglected to talk about the signing policy ....
>
> You compile your package and upload it (signed by you) to unstable. 6 months
> later, when we are ready to release the Release Manager has a Release Key and
> the packages themselves are signed by this key. Using md5sums fail here
> because the contents of the deb have changed (the sig was added). The version
> number should not be bumped because there is no packaging change.
Plus pkg+version+arch is not always enough. Note (even though it is a
bug/mistake in it's own right), there are potato/woody packages with the
same version and arch, that are not the same binary. This is very
important from a security/signing standpoint.
Ben
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
Reply to: