Re: Bug#93612: Support for new archive structure
On Fri, 13 Apr 2001, Raphael Hertzog wrote:
> That's the first time I see Debian willing to accept "invalid" CDs instead
> of designing cleanly the thing from scratch so that such problem don't
> exist.
Ha! It hasn't been until recently that Debian has had 'valid' CDs at all.
> > > I'm really beginning to think that the only valid alternative is
> > > to have a Release file and its signature for each CD.
> >
> > Absolutely not.
>
> Why ? Of course, it's a pain for the Release manager to sign & check all
> those files but I don't see why it wouldn't be an acceptable solution ...
Because anyone should be able to build a CD set without having to get the
release manager to sign the thing.
Look, no matter what you do, you always end up with a lame situation. The
fewest people will be affected, and the largest gains realized if the
Package file has extra entries.
a) Use verbatim package files and call them 'Packages'
- Everyone can make CD set, and we still have end-to-end security
- apt file:/../ does not work properly on those discs
b) Use verbatim package files and call them 'Packages.something'
- Everyone can make CD set, and we still have end-to-end security
- apt file:/../ does not work properly on those discs
c) Resign the Release files
- Only Debian can make disks, we loose end-to-end security
and the RM/Security/etc groups have to sign a bajillion files
- Hurd looses again, since their weirdo CD's have to be resigned
- Debian derivitives loose, since their weirdo CD's have to be resigned
- apt file:/../ works
d) Do nothing
- No security :P
'a' is clearly the lesser evil and the only draw back is that a very small
number of people have to stop using apt file:/../ - and even that is
fixable with some adjustments to APT.
Now, if you have a magical 'e)' that doesn't have the drawbacks of 'c)' or
the problems of 'a)' then speak up!
Jason
Reply to: