Bill Mitchell writes ("Re: changes file format "):
> [...]
> I also reiterate my suggestion that we stop the practice
> of maintainers announcing directly (and prematurely)
> to debian-changes, and have the maintainer announcements
> uploaded to debian.org along with the other package files,
> machine-parsed there, and machine-produced announcements
> in whatever announcement format is deemed appropriate
> incorporating information from the machine-parsed maintainer
> uploads made from debian.org once the packages being
> announced are actually available as part of the distribution.No, this has even worse security properties than the scheme we have at the moment. It's important that the distribution channels for the MD5 checksum information and the files themselves remain separate. (For this reason I think that putting the MD5 checksums in the Incoming directory itself is bad - there should be a separate administrative directory.) It would be best if every announcement were reviewed by a human before being passed to the automatic distribution and changelog maintenance software. Ian.
