Michael Biebl <bi...@debian.org> writes: > On the other hand, downloading the tarball from the archive is not > automated by any tool afaics. > That means, git-buildpackage will happily re-create the dist tarball > from the upstream branch. > If you are not watching really carefully, this step is very easy to miss. > > It's also very easy to forget this particular caveat when you do > stable-security uploads. > And as the stable-security archive will *not* reject such a tarball, you > can end up with tarballs which have different md5sums in stable and > stable-security.
The archive softwrae should catch this by now: we sync the list of files including hashes from ftp-master to security-master daily. If you upload a file to security-master that does not match the file in the list, the upload will be rejected. There's still a race if you upload different .orig.tar.* to security-master and ftp-master on the same day, but the most common errors should be catched. Ansgar -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/877g27q83p....@deep-thought.43-1.org
