[Debian-olpc-devel] Bug#512258: Bug#512258: sugar-web-activity: drop-down input fields (HTML forms) not working

Jonas Smedegaard dr at jones.dk
Tue Jan 20 22:51:02 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jan 20, 2009 at 10:59:18PM +0100, Sascha Silbe wrote:
> On Tue, Jan 20, 2009 at 03:34:11PM +0100, Jonas Smedegaard wrote:
>
>> Or rephrased: Acknowledged, I do not (yet?) sign my unofficial 
>> packages provided at debian.jones.dk.
> OK, I've used them anyway as it's for a testing VM only.

I claim (through this signed email) that I myself compiled all packages 
offered at debian.jones.dk in clean (or least-possible-unclean[1]) build 
environments. The warning showing in your APT frontend does not indicate 
bad packaging quality, only uncertainty of origin: Theoretically someone 
could do a man-in-the-middle attack while you fetched my packages and 
replace them with something nasty. But that is all signing does. And the 
reason I have so far not bothered signing, even if I use those packages 
myself in production - for servers and workstations that approx. 1.000 
users depend on privately as well as professionally.

Personally I have greater trust in my own backports done this way than 
in backports.org, YMMV. :-)


> Results:
> New VM with lenny + your repository: not reproducible
> New user on lenny + sid machine after updating to latest Sugar from sid:  
> still reproducible
>
> So either some non-Sugar package from sid really slipped in (any way to  
> check that?) or there's some difference between the Sugar packages in  
> your repository and the ones in sid.

My Lenny packages has been compiled against libraries in Lenny.

Sid packages has been compiled against libraries in Sid.

Mixing "branches" raises risk of incompatibilities. As this clearly 
shows IMHO.

Please test if a pure Sid environment works. If it does, I believe we 
should simply close this bug.


  - Jonas


[1] If a package is backported to a more conservative branch, and needs 
some library backported too, then the library gets backported in a clean 
environment and is then included in an almost-clean environment. If the 
build process needs helper tools backported then that is either done 
similarly.

The package URL hints about the branch used, e.g. sugar-toolkit for Etch 
on i386 is built in the almost-clean "etch-i32+src" environment at the 
build host "auryn": 
http://debian.jones.dk/pkg/sugar/sugar-toolkit/etch-ia32+src/auryn/

That "+src" pollution is available too: http://debian.jones.dk/pkg/src/

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkl2VVYACgkQn7DbMsAkQLhSTwCdFsjyxjTKs/7bqnvtyb4sSJwT
Z30AnR8gZV/Uy+eCK/FmYWt6iClf0J71
=dCMj
-----END PGP SIGNATURE-----

More information about the Debian-olpc-devel mailing list