On Sun, Jan 07, 2001 at 05:32:39PM +0000, Steve McIntyre wrote: > I'm looking at patching debian-cd to use ftparchive for woody > CDs. I'll keep people posted on progress... Actually, a better idea, theoretically is to just copy the Packages files from the archive. This is a better idea because come release time, there'll basically be a list of all the Packages files (for all architectures, all components including non-US) with their expected sizes and md5sums that's signed by (at least) me as release manager. Apt will (hopefully) use this to verify the integrity of the archive, both against corruption (mismatching md5sums due to random failures, or an unsynced archive), and to ensure it's from the right people (checking the signatures). So if you distribute CDs with this file (which'll be dists/woody/Release, with a detached signature in dists/woody/Release.gpg), and pristine Packages files in dists/woody/*/binary-*/, it'll be possible to verify with a good degree of confidence that a CD does actually match the archive. The downside is that the Packages files on each CD will thus list a bunch of packages that don't actually exist. apt-cdrom will complain about this atm, but otherwise work fine... The other upside is that just copying Packages files is probably a lot easier and quicker than using dpkg-scanpackages or apt-ftparchive. :) Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``Thanks to all avid pokers out there'' -- linux.conf.au, 17-20 January 2001
Attachment:
pgp2NFYIO9JSZ.pgp
Description: PGP signature