On Sun, Jan 07, 2001 at 05:32:39PM +0000, Steve McIntyre wrote:
> I'm looking at patching debian-cd to use ftparchive for woody
> CDs. I'll keep people posted on progress...
Actually, a better idea, theoretically is to just copy the Packages files
from the archive.
This is a better idea because come release time, there'll basically be
a list of all the Packages files (for all architectures, all components
including non-US) with their expected sizes and md5sums that's signed by
(at least) me as release manager. Apt will (hopefully) use this to verify
the integrity of the archive, both against corruption (mismatching md5sums
due to random failures, or an unsynced archive), and to ensure it's from
the right people (checking the signatures).
So if you distribute CDs with this file (which'll be dists/woody/Release,
with a detached signature in dists/woody/Release.gpg), and pristine
Packages files in dists/woody/*/binary-*/, it'll be possible to verify
with a good degree of confidence that a CD does actually match the
archive.
The downside is that the Packages files on each CD will thus list a bunch
of packages that don't actually exist. apt-cdrom will complain about this
atm, but otherwise work fine...
The other upside is that just copying Packages files is probably a lot
easier and quicker than using dpkg-scanpackages or apt-ftparchive. :)
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``Thanks to all avid pokers out there''
-- linux.conf.au, 17-20 January 2001
Attachment:
pgp2NFYIO9JSZ.pgp
Description: PGP signature