The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: source packages and upstream source

To: Manoj Srivastava <srivasta@datasync.com>, "Susan G. Kleinmann" <sgk@kleinmann.com>
Subject: Re: source packages and upstream source
From: bruce@pixar.com (Bruce Perens)
Date: Fri, 28 Feb 97 13:05 PST
Cc: debian-private@lists.debian.org
Delivered-to: bruce-lists--debian-private@lists.debian.org
Reply-to: Bruce Perens <bruce@pixar.com>

From: "Susan G. Kleinmann" <sgk@kleinmann.com>
> Over again, verbosely:  what I think must be avoided is the situation
> where a developer downloads source(s) from somewhere then 
> transforms it somehow by issuing unrecorded commands from the keyboard,
> then proceeds to make a debian package.

Right.

> I believe (hope?) that Bruce is right when he says that the 
> overall effect of a policy that required traceability on Debian's 
> source packages would probably be very small, and merely serve as a 
> heads-up for practices that are more or less in place already.  
> I'm very glad Bruce is pursuing discussions to have a wider 
> audience (Linux-wide) participate in these procedures.

We currently have the tools to unpack upstream sources, generate diffs,
and upload the upstream source along with the diffs. They work. The problem
is that the procedure as documented in our manual and the defaults of the tools
need some changing. If dpkg-source sees the upstream .tar.gz sitting
there, it should extract that into a temporary, generate diffs against it,
and produce a .dsc for the upstream .tar.gz and the .diff.gz . This makes the
current .orig directory irrelevant, although the user may want to have it around
for reference. It also removes the potential for undocumented changes to creep
into the .orig directory where they don't belong. The documented procedure for
making packages needs to be changed to support this process.

Secondary to that, we need to document some additions to the procedure
to make an upload to sunsite and other upstream source archives and get
the linux world to agree on them. This includes tightening up the format
of the .tar.gz file's name and the name of the directory that the .tar.gz
file contains, including the MD5 checksum of the .tar.gz file in the .lsm
file that is uploaded along with the .tar.gz, and wrapping the .lsm file
in a PGP signature. We also need an infrastructure to admitting upstream
maintainers to the PGP web of trust.

	Bruce
--
Bruce Perens K6BP   Bruce@Pixar.com   510-215-3502
Finger bruce@master.Debian.org for PGP public key.
PGP fingerprint = 88 6A 15 D0 65 D4 A3 A6  1F 89 6A 76 95 24 87 B3

Follow-Ups:
- Re: source packages and upstream source
  - From: Manoj Srivastava <srivasta@datasync.com>

Prev by Date: Re: gated license
Next by Date: Re: source packages and upstream source
Previous by thread: Re: source packages and upstream source
Next by thread: Re: source packages and upstream source
Index(es):
- Date
- Thread