On 31/12/2019 11:16, Bardot Jérôme wrote:
> On 31/12/2019 11:28, Denis Roio wrote:
>>
>> dear devs,
>>
>> today I stumbled on this message
>>
>> https://twitter.com/tamatsu_tme/status/1211558102098538498
>>
>> roughly translates to:
>> ""
>> Well, the timestamp of the official iso image file of devuan 2.1 ASCII
>> changed just the other day (December 21), and the checksum of SHA256
>> has changed, I wonder what happened. I want you to stop updating in
>> the same version, i want you to make it 2.1.1 if you update something
>> even if it is content compatible.
>> ""
>>
>> is this the case? anyone knows?
>>
>> in case yes then it would be good to issue a notice in the README or
>> so, I agree that on official releases any minimum change should be
>> reflected in versioning.
And the versioning should extend down to the package\binary itself.
This is one of the major contributing factors to why I refuse to use
Ubuntu based Distros. They patch a binary but do not change it's revision
or they change a version so it no longer matches it' upstream version.
CVE nightmare, manually check summing every file on a system is expensive
and whilst can show it was not tampered with, does nothing to indicate
its source origins. This would be a killer to Devuan for me.
Do not underestimate the importance of maintaining proper versions\revisions.
Systems Administrators need to be able to demonstrate "Due Diligence" to
contribute towards fireproofing their underwear.