On Mon, Oct 27, 2025 at 09:38:04AM +0000, MOESSBAUER, Felix wrote: >... > Regarding checksums: I'm wondering if the uniqueness of > name/version/arch triplets just refers to the content of a package, or > also to the .dsc file with its signature. IOW: Should it be allowed to > re-sign a .dsc file without changing the version? Here, I'm also > considering the case that a package is copied from debian-security to > debian.
This shouldn't happen. Importing packages from debian-security to (old)stable is basically an upload, and you need the signature of the uploader for that. When you download a source package from Ubuntu that does not have "ubuntu" or "build" in the version string, the .dsc still contains the signature that was used for uploading it to Debian. > Maybe that could be documented as well, in case the decision is made. >... I don't think anything needs a decision, what is missing are checks in tooling that would result in a rejection of the upload. > Felix cu Adrian
