-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jan 20, 2009 at 10:59:18PM +0100, Sascha Silbe wrote: > On Tue, Jan 20, 2009 at 03:34:11PM +0100, Jonas Smedegaard wrote: > >> Or rephrased: Acknowledged, I do not (yet?) sign my unofficial >> packages provided at debian.jones.dk. > OK, I've used them anyway as it's for a testing VM only.
I claim (through this signed email) that I myself compiled all packages offered at debian.jones.dk in clean (or least-possible-unclean[1]) build environments. The warning showing in your APT frontend does not indicate bad packaging quality, only uncertainty of origin: Theoretically someone could do a man-in-the-middle attack while you fetched my packages and replace them with something nasty. But that is all signing does. And the reason I have so far not bothered signing, even if I use those packages myself in production - for servers and workstations that approx. 1.000 users depend on privately as well as professionally. Personally I have greater trust in my own backports done this way than in backports.org, YMMV. :-) > Results: > New VM with lenny + your repository: not reproducible > New user on lenny + sid machine after updating to latest Sugar from sid: > still reproducible > > So either some non-Sugar package from sid really slipped in (any way to > check that?) or there's some difference between the Sugar packages in > your repository and the ones in sid. My Lenny packages has been compiled against libraries in Lenny. Sid packages has been compiled against libraries in Sid. Mixing "branches" raises risk of incompatibilities. As this clearly shows IMHO. Please test if a pure Sid environment works. If it does, I believe we should simply close this bug. - Jonas [1] If a package is backported to a more conservative branch, and needs some library backported too, then the library gets backported in a clean environment and is then included in an almost-clean environment. If the build process needs helper tools backported then that is either done similarly. The package URL hints about the branch used, e.g. sugar-toolkit for Etch on i386 is built in the almost-clean "etch-i32+src" environment at the build host "auryn": http://debian.jones.dk/pkg/sugar/sugar-toolkit/etch-ia32+src/auryn/ That "+src" pollution is available too: http://debian.jones.dk/pkg/src/ - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkl2VVYACgkQn7DbMsAkQLhSTwCdFsjyxjTKs/7bqnvtyb4sSJwT Z30AnR8gZV/Uy+eCK/FmYWt6iClf0J71 =dCMj -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
