Re: Guidance on version-identical source packages with different checksums
On Mon, 2025-10-20 at 10:48 +0000, MOESSBAUER, Felix wrote:
> Dear snapshot team,
>
> we just noticed the following oddity regarding what precisely
> identifies a Debian source package:
>
> The sratom 0.6.14-1 source is available in multiple archives (e.g.
> debian, debian-debug and debian-ports), but the version in ports has a
> different checksum [1]. Diffoscope shows, that the changelog is
> different in the hurd archive:
>
> ├── debian/changelog
> │ @@ -1,8 +1,8 @@
> │ -sratom (0.6.14-1) unstable; urgency=medium
> │ +sratom (0.6.14-1) unreleased; urgency=medium
>
> Our assumption was, that a Debian source package is precisely
> identified by its name and version, but this does not seem to be true.
> Is this indeed not required by the policies, or are these findings
> bugs?
>
> [1] https://snapshot.debian.org/package/sratom/0.6.14-1/
We just found another package where the .dsc file is listed multiple
times, this time semantically identical, but with an updated signature
(same key, different timestamp). One of the artifacts is also found in
the current bookworm release [3]. Adding the key owners in CC.
Are these re-signings actually expected?
[2]
https://snapshot.debian.org/package/golang-github-grpc-ecosystem-go-grpc-middleware/1.3.0-1/
[3]
https://packages.debian.org/source/bookworm/golang-github-grpc-ecosystem-go-grpc-middleware
Best regards,
Felix
>
> Best regards,
> Felix Moessbauer
>
> --
> Siemens AG
> Linux Expert Center
> Friedrich-Ludwig-Bauer-Str. 3
> 85748 Garching, Germany
--
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany
Reply to: