On 2018-12-03 14:37:03, Adam D. Barratt wrote: > On 2018-12-03 14:23, Antoine Beaupré wrote: >> On 2018-12-03 08:16:47, Julien Cristau wrote: >>> Control: tag -1 confirmed >>> >>> On Mon, Jun 18, 2018 at 01:56:11PM -0400, Antoine Beaupre wrote: >>>> diff -Nru monkeysign-2.2.3/debian/changelog >>>> monkeysign-2.2.4/debian/changelog >>>> --- monkeysign-2.2.3/debian/changelog 2017-01-24 15:40:35.000000000 >>>> -0500 >>>> +++ monkeysign-2.2.4/debian/changelog 2018-06-18 12:18:46.000000000 >>>> -0400 >>>> @@ -1,3 +1,14 @@ >>>> +monkeysign (2.2.4) unstable; urgency=medium >>>> + >>>> + [ Tobias Rueetschi ] >>>> + * false isn't defined, that must be False >>>> + >>>> + [ Antoine Beaupré ] >>>> + * actually send multiple emails instead of a single one >>>> + * CVE-2018-12020: add no verbose to avoid fake signatures >>>> + >>>> + -- Antoine Beaupré <anar...@debian.org> Mon, 18 Jun 2018 12:18:46 >>>> -0400 >>>> + >>>> monkeysign (2.2.3) unstable; urgency=medium >>>> >>>> [ Simon Fondrie-Teitler ] >>> >>> This would need to be versioned as 2.2.3+deb9u1. >> >> But it's exactly the 2.2.4 release published to unstable - why the >> different version number? > > Because, as you say, a package with the version "2.2.4" has already been > uploaded to Debian. One can't have a different package in stable and > unstable with the same version number.
Sure you can. If a package is not updated between the time the unstable package trickles down into testing and then becomes table, it will have the exact same version number and binary builds. > (It's not "exactly the same" - the stretch upload will be built in a > stretch chroot, so may well end up with different dependencies. At the > very least, it needs a d/changelog entry detailing that it was uploaded > to stable, which makes it different from the unstable upload.) It seems quite strange to me to have to rebuild a package with a different version number in this very specific case. Monkeysign is in maintenance mode now and the only reason I did this release with that specific numbering scheme is specifically targeting Debian stable. First I was told to upload it to unstable before uploading it to stable, and now I am told the 2.2.4 release cannot be uploaded to stable. I hope you understand I might find the process a tad confusing. :) A.