On 12/31/2014 12:19 AM, Thorsten Glaser wrote: > On Tue, 30 Dec 2014, tony mancill wrote: > >> I built them today using the method described above, and the .changes >> file (openjdk-8_8u40~b09-1_amd64.changes) is signed with my Debian GPG key. > > If you do that, ABSOLUTELY MAKE SURE TO CHANGE THE LINE > Distribution: unstable > to something like: > Distribution: myppa > > Otherwise, *everyone* could now upload these files to > ftp-master, which would result in YOU signing for an > (unauthorised) upload to Debian sid. With bad timing, > you would not even realise that before the time for > dcut passes. Big shit. Hi Thorsten, This is definitely a concern in the general case - thank you for explaining it clearly. I like the idea of using "myppa" or similar, since this is just for convenience. In this specific case, the same version I built has already been uploaded and accepted into the archive [1] and so cannot be accepted again. Nonetheless, I'll delete the .changes file. Thank you, tony [1] https://packages.qa.debian.org/o/openjdk-8/news/20141014T120710Z.html
Attachment:
signature.asc
Description: OpenPGP digital signature