Re: Bug#93612: Support for new archive structure

To: debian-cd@lists.debian.org, 93612@bugs.debian.org, jgg@debian.org
Subject: Re: Bug#93612: Support for new archive structure
From: Raphael Hertzog <rhertzog@hrnet.fr>
Date: Wed, 11 Apr 2001 12:04:49 +0200
Message-id: <20010411120449.A16604@k6.resI.insa-lyon.fr>
In-reply-to: <20010411185910.A31308@azure.humbug.org.au>; from aj@azure.humbug.org.au on Wed, Apr 11, 2001 at 06:59:10PM +1000
References: <20010411130541.A26233@azure.humbug.org.au> <20010411094557.B16134@k6.resI.insa-lyon.fr> <20010411185910.A31308@azure.humbug.org.au>

Le Wed, Apr 11, 2001 at 06:59:10PM +1000, Anthony Towns écrivait:
> Note that the two files:
> 
> 	dists/woody/main/binary-i386/Release
> 	dists/woody/Release
> 
> are quite different. Are you already copying dists/woody/Release or just
> dists/woody/main/binary-i386/Release?

Only the latter. But it's still not a problem to copy the former and
its signature. 

> If you do this, then the verifying a mirror or a CD looks like:

I know and I understand. However doing the other way around is
not much more complicated.

> For example, if you have separate files, you'd need to change step (2) to
> be:
> 
> 	2a) Check that the md5sums of the Packages-signed.gz and 
> 	    Sources-signed.gz files you have match the md5sums listed 
> 	    in the Release file
> 	2b) Check that every package listed in each Packages.gz and
> 	    Sources.gz exactly matches the corresponding entry in
> 	    Package-signed.gz or Sources-signed.gz, and that there *is*
> 	    a corresponding entry
> 
> which is a fair bit more awkward.

If you have to modify apt-cdrom at least you can make it manage this
precise case. Use "Packages" file for knowing which packages are available
on the CD and Packages-signed for checking integrity with md5sum and so on,
it's the same that you mentionned but with some more duplication of
information (all fields that are present in Packages files).

I don't want to change the "standard" Packages files since those are used
by all the old tools we have (including those that won't understand why
the listed files don't exist). Signed Packages files are an addon and
should not interfer with things that always worked right. At least until
it's proven that we have to change everything to get the security level we
want. But I don't think that you can prove something like that.

Cheers,
-- 
Raphaël Hertzog -+- http://strasbourg.linuxfr.org/~raphael/
Le bouche à oreille du Net : http://www.beetell.com
Naviguez sans se fatiguer à chercher : http://www.deenoo.com
Formation Linux et logiciel libre : http://www.logidee.com

Reply to:

Follow-Ups:
- Re: Bug#93612: Support for new archive structure
  - From: Jason Gunthorpe <jgg@debian.org>

References:
- Bug#93612: Support for new archive structure
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: Bug#93612: Support for new archive structure
  - From: Raphael Hertzog <rhertzog@hrnet.fr>
- Re: Bug#93612: Support for new archive structure
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: Bug#93482: cd install
Next by Date: RE: yet another debian-mirror script
Previous by thread: Re: Bug#93612: Support for new archive structure
Next by thread: Re: Bug#93612: Support for new archive structure
Index(es):
- Date
- Thread