> -----Original Message----- > From: Sean 'Shaleh' Perry [mailto:[EMAIL PROTECTED] > > Your UUID is the pkg+version+arch. From my viewpoint it's > as simple as > > that. Maybe the official policy needs to be updated so > that it is clear > > that any change to the binary packages, including just > compile time changes, > > requires a version update? That way you could change your > "sigs" as often > > as you'd like but you would know that a particular build > was a particular > > build. > > Ben neglected to talk about the signing policy .... > > You compile your package and upload it (signed by you) to > unstable. 6 months > later, when we are ready to release the Release Manager has a > Release Key and > the packages themselves are signed by this key. Using > md5sums fail here > because the contents of the deb have changed (the sig was > added). The version > number should not be bumped because there is no packaging change.
Sorry, I'm not a Debian developer so honestly don't know all the policies or processes behind making debs. But, it seems clear to me that if you use the pkg+version+arch as your UUID then a change in the md5sum caused by adding a signature would not effect the "UUID" and therefore be moot. When I say any change in the "binary package" I mean any change in the binary files that get installed when the package is installed. I'm not talking about a change in the deb file itself. Or am I totally confused? Fred Reimer Eclipsys Corporation
