On Fri, 12 Feb 2021, 12:52 am Guillem Jover, <guil...@debian.org> wrote:
> Then there's the problem with changing contents for already seen > files, which seems like a dak bug. It does not allow to change a > tarball once it has been seen, so I don't see why it should allow a > changed .asc either? > That's not true. Call it a dak bug or a feature, depending on where you stand. Dak forgets everything concerning a file as soon as it's not present in any suite it manages. This usually appears in the way of people uploading a package with the same name and version of something that was removed long long ago and since then archived and forgotten by dak. It's totally possible to overwrite a tarball with the same filename too that way, you just need to wait the appropriate amount of time and upload things in a way that you replace the upstream tarball. (Honestly I haven't tried this myself, but I have a package where if you'd like I can actually go and try to prove my point). Back to the original bug report: I personally believe that the signatures there are fine, and I don't believe in the "upstream the re-sign an already released tarball" story. But I consider the current forgetfulness of dak as a bug.