Jason: wassup with apt-cdrom and dists/woody/Release and such?
On Wed, Apr 11, 2001 at 09:45:58AM +0200, Raphael Hertzog wrote:
> Le Wed, Apr 11, 2001 at 01:05:41PM +1000, Anthony Towns écrivait:
> > For this to work, the Release and Release.gpg files should be verbatim
> This is not a problem, we just need to copy Release.gpg as well.
Note that the two files:
dists/woody/main/binary-i386/Release
dists/woody/Release
are quite different. Are you already copying dists/woody/Release or just
dists/woody/main/binary-i386/Release?
> > from the archive. For that to work, the Packages and Sources files also
> > must be verbatim from the archive.
If you do this, then the verifying a mirror or a CD looks like:
0) Check that Release describes the distribution you think it's
meant to
1) Check that Release.gpg is a detached signature for Release,
signed with the right key
2) Check that the md5sums of the Packages.gz and Sources.gz files
you have match the md5sums listed in the Release file
3) Check the md5sums of the debs you have match the md5sums listed
in the Packages files
(0) is a user interface issue, (3) is already done by apt, and (1) and
(2) are reasonably straightforward additions.
> This is a problem. I *really* don't like having Packages and Sources files
> mentionning files that are not available. It goes against some principles
> I always tried to follow. debian-cd has been written in order to be able
> to generate CD which contains subset of Debian and I don't want to have to
> put the complete Packages file for each CD set we'll create with
> debian-cd.
OTOH, if you *don't* do this, verfication becomes much harder.
> An acceptable alternative would be to provide Packages.signed and
> Sources.signed that could be checked against Release.gpg and a check for
> a package "validity" would be to compare if the 2 or 3 informations do match
> (Packages, Packages.signed and the package itself).
For example, if you have separate files, you'd need to change step (2) to
be:
2a) Check that the md5sums of the Packages-signed.gz and
Sources-signed.gz files you have match the md5sums listed
in the Release file
2b) Check that every package listed in each Packages.gz and
Sources.gz exactly matches the corresponding entry in
Package-signed.gz or Sources-signed.gz, and that there *is*
a corresponding entry
which is a fair bit more awkward.
> > ...should be the sort of thing to do.
> Unfortunately debian-cd is a bit more complicated. :)
Well, naturally...
> > trigger a bunch of apt-cdrom warnings still when people try to install
> > from it, but those are things that need to be fixed in apt-cdrom...
> I'm not sure that this is really the way to go. apt-cdrom has been
> designed to be able to use different CDs from different CD set, it will
> build a list of the files mentionned on each CD, so it's a big win that
> each CD only mentions what it does really have !
Well, another way of handling that would be to maintain a separate list
of which packages are on the CD. This'd be pretty easy to do, and wouldn't
have any impact on security issues. It'd need support from apt-cdrom, perhaps.
Something like:
dists/woody/
Release
main/binary-i386/
Packages.gz
Packages-Present.gz
where Packages-Present.gz is just a list like:
anacron
apt
dpkg
libc6
without any additional information.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``_Any_ increase in interface difficulty, in exchange for a benefit you
do not understand, cannot perceive, or don't care about, is too much.''
-- John S. Novak, III (The Humblest Man on the Net)
Attachment:
pgpmyyJO0xDyu.pgp
Description: PGP signature