2

I'm researching how to supply some software as a Debian package. I intend to act as a third party supplier, and forgo adding the sources to Debian through a sponsor. Users must add the appropriate entry to their sources.list.

According to the Debian docs on Debian Repository | Use Third Party:

Keys updates SHOULD be distributed by a Debian package called deriv-archive-keyring. This package MUST distribute the key in binary form in the aforementioned location ... and MAY also include the /etc/apt/sources.list.d/deriv.sources or /etc/apt/sources.list.d/deriv.list files and the /etc/apt/preferences.d/deriv.pref file

It seems to me if two different third party packages are used, then a name collision will occur and one third party package will overwrite the other third party package. For example, if a user already added one third party repo, then my deriv-archive-keyring will overwrite the earlier deriv-archive-keyring.

How does Debian avoid one package overwriting another package?

Improve this question
0

1 Answer 1

Reset to default
2

Indeed having two unrelated packages with the same name clashes, and the newer installed will replace the former (notwithstanding special settings like multi-arch not related to this case). It can do this without problem because it keeps the list of all files belonging to the installed package, for every installed package.

You should not take deriv too literally, despite the vocabulary including "SHOULD" etc. This term is a placeholder for the actual derivative name you'll choose, and you should replace it wherever it's mentionned with your actual derivative name.

Just take a look at the official Debian repository, it already includes a few archive-keyring packages (including itself) to ease "initial trust" issues when pulling packages from some known derivative or add-on distributions (it should always be done carefully):

# apt-cache search '^.*-archive-keyring$'
debian-archive-keyring - GnuPG archive keys of the Debian archive
debian-ports-archive-keyring - GnuPG archive keys of the debian-ports archive
emdebian-archive-keyring - GnuPG archive keys for the emdebian repository
leap-archive-keyring - OpenPGP archive key for the leap.se software repositories
neurodebian-archive-keyring - neuroscience-oriented distribution - GnuPG archive keys
pkg-mozilla-archive-keyring - GnuPG archive keys for the Debian Mozilla team package repository
ubuntu-archive-keyring - GnuPG keys of the Ubuntu archive - transition package
ubuntu-keyring - GnuPG keys of the Ubuntu archive

For the provided packages themselves, you should avoid clashing with existing packages, except if you're prepared to accept consequences. Eg: when providing a newer version of the same package name: dealing with bug reports sent to the wrong place etc. Better choose an alternate package name.

For the commands provided by the packages, that's easier to deal with tools like update-alternatives that some of your packages might have to use or provide ways to use during or after installation.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .