Debian: what precisely identifies a source package
Johannes Schauer Marin Rodrigues
josch at debian.org
Fri Oct 24 15:58:01 UTC 2025
Hi,
Quoting MOESSBAUER, Felix (2025-10-24 11:50:28)
> We further got the hint by @pkern (thanks for that!), that a name+version
> might not be sufficient to precisely identify a package (at least not across
> archives). By that, we also need checksums to ensure that a package we later
> lookup is actually the one we had at time of "scanning".
yes. This is tracked as this bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072205
I have not yet heard an argument against somehow trying to make sure that
packages should not have the property of being unique by their
name/version/arch triplet. We just still lack the tooling to make sure that new
packages do not violate this principle.
Thanks!
cheers, josch
P.S.: Holger made me aware of this thread via IRC and I haven't seen any
mention of above bug yet, so here it goes. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20251024/e1d843ea/attachment.sig>
More information about the rb-general
mailing list