The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: qmail license



On 26 Feb 1997, Michael Alan Dorman wrote:

> bruce@pixar.com (Bruce Perens) writes:
> > He wants the MD5SUM of the .src.tar.gz to remain unchanged. We can do that
> > using dpkg-source without a problem. It's just strange.
> 
> Well, I expect part of the reason for that is the fact that he's a
> security nut---qmail sort of embodies that.
> 
> My question is whether we can actually preserve the MD5SUM---if it's
> taken over the whole .tar file, and we change filenames within the tar
> file (to qmail-1.0.orig/*), then the sum for the whole file _will_ be
> different.
> 
> I'm not sure we can comply with this from a technical standpoint.
> 
All he needs to do to make it work is name his source tree head as
qmail-1.0.orig and then his md5sum will match ours. The whole point of the
.orig tree was to "match" the upstream source well enough that anyone
already in possession of them would only need the diff (and for dpkg-source
the .dsc) to get a "Debianized" source tree.
If he is willing to be only a little bit flexible this should not be a
problem. 
In fact, I think we should inspect the general idea of getting upstream
developers to deliver source compatible with the packaging system (tar.gz
with a consistent <package>-<version>.orig source tree head) specifically
because they then only need to provide the md5sum to validate the source
as being free of "unknown changes".
If I were to be inclined to introduce a "nasty bug" into the system (which I'm
not) I would "hide" the code in the upstream source file. That way, if it
ever gets discovered, I could claim I had no knowledge, that it came to me
that way from the ftp site. An md5sum of the upstream source and my
version of .orig would not match, and I would be, at least, highly suspect
as the culprit.
Encouraging the free software community to adopt a common source format
with associated md5sum (possibly pgp signed by the developer) could go a
long way to closing up this possibility for destructive intervention by
persons of malicious intent.

Luck,

Dwarf

------------                                          --------------

aka   Dale Scheetz                   Phone:   1 (904) 656-9769
      Flexible Software              11000 McCrackin Road
      e-mail:  dwarf@polaris.net     Tallahassee, FL  32308

------------ If you don't see what you want, just ask --------------