At 2007-01-12T19:53:07+1300, Volker Kuhlmann wrote:
> I put money on having seen repackaged source tar files with all Debian
> patches applied since then, though the evidence may have walked off disk
> by now.
Oops, my memory failed me slightly. Yes, with the very early releases, you
used to get a patched tarball plus the patch that generated the tarball from
the original source. Applying the patch in reverse (patch -R) would
regenerate the contents of the pristine tarball. Pretty messy compared with
the current system, but the same total set information was available.
They stopped doing this a long time ago. Buzz was 1996. The existing
system of pristine tarballs has been in place for a very long time.
> You're right that policy isn't the same as application software behaviour,
> but software which doesn't strongly discarage bad policy reduces its
> usefulness.
Well, the Debian build tools certainly discourage it. Using them in the
documented way will result in verification that a pristine tarball and a
patch to apply the Debian-specific changes
> Having a policy and adhering to it 100% are two different things.
Absolutely.
> While rpm doesn't enforce this policy either, having had it since day 1
> meant there was never any deviation.
Rubbish. As long as there are people involved, it can be cocked up.
> Some may count that as a plus, I count that as irrelevant. If it makes it
> more difficult to cryptosign the file, it becomes a downside.
It doesn't make it any more difficult. It's automated as part of the
package building process.
> Yep, and with rpm I wouldn't have to do all that. Bonus from my point.
But you need RPM, or a tool that understands RPM format to extract the
source and patches, which is pretty inconvenient.
> Much easier to have one line of trust to the distro vendor, though that's
> probably more a distro than a tool issue. However, rpm -K onefile looks
> much simpler to me than the hoops you describe.
The 'Release' files are signed by the release masters. You trust these, and
the release masters trust the maintainers. This is called a web of trust.
The only hoop is establishing the initial trust seed by establishing trust
to the release master's key. The same hoop exists for your favourite system
too.
> I was only talking about cryptosignatures for authenticity, anyone can run
> md5sum against accidental transit damage.
You need a trustworthy checksum value supplied by the originator in the
first place.
> I would be interested in your Debian-minded view on that, actually.
I'm not Debian minded, I use the right tool for the job. Sometimes, it's
not even Linux.
Sorry, I'm not going to waste my own time ranting about how much RPM sucks.
It won't achieve anything. If you want to see ranting about RPM, feel free
to Google for it.
Cheers,
-mjg
--
Matthew Gregan |/
/| [EMAIL PROTECTED]
