[DRE-maint] Multiple uploads of a single .orig.tar.gz with different checksums

intrigeri intrigeri at debian.org
Thu Feb 14 09:13:28 GMT 2019


ruby-fog-google_1.8.1.orig.tar.gz was accepted in the Debian archive:

 - on 2018-11-20, with SHA1 ee4367146e6207a0d61f93766d4d024c95456da5
 - on 2019-02-13, with SHA1 899e8100118232f059cbe2cc363ea7d3d12d37f5

Similarly, ruby-asset-sync_2.4.0.orig.tar.gz was accepted:

 - on 2018-06-20, with SHA1 1d7ebfe78923132978ef81c6fb1bd8117157e24a
 - on 2019-01-28, with SHA1 eb3b84982ae37d94c8456ed95c262b555c5e5cb7

In both cases, as I understand it the second upload was accepted by
dak only because the previous "version" of the same tarball was not in
the archive anymore (a newer version had migrated to testing already).
Otherwise, I believe dak would have rejected the upload.

I don't know if the fact dak accepted the 2nd upload of the same (but
not quite same) file is merely due to a bug/limitation in dak or if
that's the intended design; I suspect the former. Either way, I find
it confusing to upload different versions of a file with the exact
same name and it has great potential to build machinery built with
stricter assumptions. For example, FWIW it breaks Tails' mechanism to
take and maintain regular snapshots of the Debian archive.

If that's not too much burden for you, could you please tweak your
packaging workflow so that this does not happen? Thanks in advance!


More information about the Pkg-ruby-extras-maintainers mailing list