On Wed, Apr 11, 2018 at 02:05:03PM -0700, Russ Allbery wrote: > Adrian Bunk <b...@debian.org> writes: > > > Imagine tomorrow a random person from the internet noone has ever heard > > of uploads a package dgit 5.0 to mentors.d.n. > > > It is clear that this would not be sponsored. > > > "detected by tooling" would mean that this would result in dak > > autorejecting any future uploads of a dgit package version 5.0 to > > Debian. > > This sounds like a feature? I think that would be exactly the right > outcome. It avoids any possibility of confusion with this rogue 5.0 > version, if it should turn up somewhere else.
Debian version numbers are usually not globally unique. The binary packages of dgit 4.3 in Debian and Ubuntu are different builds from the same sources, and for binary-any packages such different builds usually have different contents.[1] And more common is actually the reverse problem of someone publishing a different 5.0 after a 5.0 is already in our archive (usually by making modifications without changing the version number). > Version numbers are composed of integers. Getting another integer is > free, and there is not a limited supply. We won't run out, and missing > sequence numbers cause no problems in the world. Giving every person on the internet the power to steal version numbers for random packages would be dangerous. There's implicit meaining behind version numbers, like debhelper 12 being the first version where compat 12 will be stable. Apart from obvious (scripted) DoS for taking all reasonable numbers for a package, it would also e.g. encourage derivates to steal Debian version numbers instead of using a proper namespace.[2] Versions of packages that are accepted into our archive must be unique, but random people from the internet should not have the power to restrict what a maintainer can do in Debian. cu Adrian [1] e.g. different Debian revisions of gcc usually generate slightly different code [2] e.g. using 1.0-2 instead of 1.0-1devuan, resulting in an improved dak autorejecting a maintainer upload of 1.0-2 -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed