I'm proposing we add a new field to generated packages, and as part of Debian policy, make them required for Debian packages. It's all very simple, doesn't requuire any effort by the maintainers other than upgrading dpkg-dev, and poses little side-affects (other than a small increase in the size of the Packages file and .deb's in general).
This field would look like such: UUID: 71dc203f-c6bb-4feb-b3c2-ca8c84e727c8 (Note UUID stands for Universally Unique IDentifier) The tool to create this is already in e2fsprogs. Most likely we can work on moving this to debianutils or dpkg-dev. The reason for this is many-fold. One, it gives us a unique way to identify a .deb exclusive of when/where/who built it, and what arch it is on. This is different from the md5sum, because this wont change even if the contents of the .deb changes. Now, you may be asking "why?". The answer is very simple. We need a way to discern packages from one another for security reasons. To invalidate a .deb, we need a way to discern it from others, without comparing package name, filename, version, md5sum, etc... Sooner or later sigs will start traveling around with .deb's (that's another discussion, save it for later, it is coming soon). When those sigs are changed or updates by the archive maintainers or the release manager, the md5sum of the package will change, but the UUID will remain the same. This way we can revoke packages based on security issues, or other things. The UUID can be generated by dpkg-gencontrol. -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=========------=======-------------=-=-----=-===-======-------=--=---'
