On Fri 12 Jan 2007 18:59:11 NZDT +1300, Matthew Gregan wrote: > As far back as Debian Buzz (1.1, mid 1996) and probably earlier, the source > has been provided as a pristine tarball and a patch file. The description > file came later.
I put money on having seen repackaged source tar files with all Debian patches applied since then, though the evidence may have walked off disk by now. You're right that policy isn't the same as application software behaviour, but software which doesn't strongly discarage bad policy reduces its usefulness. > Debian has had the same policy for a very long time. Having a policy and adhering to it 100% are two different things. While rpm doesn't enforce this policy either, having had it since day 1 meant there was never any deviation. Indirectly it's a tool issue too. > Debian's way of doing things is useful for people without dpkg and the rest > of the tools--there are no special tools required to get at and use the > components of the source package. Some may count that as a plus, I count that as irrelevant. If it makes it more difficult to cryptosign the file, it becomes a downside. > Not much different from an SRPM, it's just 3 vs 1 URLs. If you're > downloading lots of source packages on a non-Debian system, write a script, > then the number of components is even more irrelevant. Yep, and with rpm I wouldn't have to do all that. Bonus from my point. > The dsc file itself has an inline OpenPGP signature of the package > maintainer. Assuming you have established a line of trust to their public > key, this provides you with an assurance of authenticity for all three > files. Much easier to have one line of trust to the distro vendor, though that's probably more a distro than a tool issue. However, rpm -K onefile looks much simpler to me than the hoops you describe. > I should clarify. The package formats have had checksum verification since > inception. This takes care of detecting corruption during downloads or > shipping packages around on physical media. I was only talking about cryptosignatures for authenticity, anyone can run md5sum against accidental transit damage. > Having a checksum or an OpenPGP signature along with a package corrupted > during download isn't going to save you from having to download it again at > $5/MB. True, but it allows me to get it locally at little or no cost from any unverified or unverifiable source, instead of for $5/MB from across the water. I still use md5sum all the time (esp burnt disks), but my longyear experience with downloads is that download corruption is rare. Cryptosignatures considerably saved $$, a lot of mucking around, and allowed a simple hey I don't care. Let's leave correcting download corruptions when they do occur as a separate issue. > All of the packaging systems have their own strengths and weaknesses. Right > now, there is no one packaging system to rule them all. Too true. Annoying, too. Still worlds better than M$ though. > And, hey, I could write a list of stuff I think is wrong with RPM and the > surrounding support utilities, but what would be the point? I would be interested in your Debian-minded view on that, actually. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
