[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: New field proposed, UUID

> -----Original Message-----
> From: Ben Collins [mailto:bcollins@debian.org]
> Plus pkg+version+arch is not always enough. Note (even though it is a
> bug/mistake in it's own right), there are potato/woody 
> packages with the
> same version and arch, that are not the same binary. This is very
> important from a security/signing standpoint.
> Ben

Well then you fix the bugs instead of changing the system.  If there are two
packages with the same pkg+ver+arch and they are actually different I'd
think the preferable "fix" is to release a new "official" package with a new
version number and have everyone install the new package, even if they have
the "good" version installed currently.  As this doesn't, or shouldn't,
happen too often it shouldn't be a big burden for users.  Besides, who
released the two conflicting packages?  They are responsible for their
mistake and should take that responsibility.  Supposedly they signed their
packages before they uploaded them, so there can't be a security issue

I still haven't heard a reasonable explanation of why this is needed (not
that I have a say in what Debian does anyway, I'm just an interested user).
Perhaps if you could outline the security system as others suggested it
would help clarify the issue.

Fred Reimer
Eclipsys Corporation

Reply to: