Re: Bug#93612: Support for new archive structure

[Philip Charles <philipc@copyleft.co.nz>]

On Sat, 14 Apr 2001, Jason Gunthorpe wrote:

> 
> On Sat, 14 Apr 2001, Philip Charles wrote:
> 
> > A CD (or iso image) is essentially one file and the integrity of this can
> > be verified by a single signed checksum.
> 
> No, that is such an oversimplification and what you have described of the
> HURD CD's prooves that.
> 
> CD's may in fact contain content from the Debian site and it should be
> possible to validate that content was part of a Debian release without
> having to jump through any special hopps. That is independent of anything
> else on the CDs.

It is not a simplification.  It is drawing boundaries.  Is Debian
responsible for Libranet, Corel, Stormix, and Progeny?  I may be the only
person in NZ that is offering vendor versions of Debian to the public, but
there are others here doing this as consultants and in an in-house role. 
I think that you would be surprised just how much of this is happening
world wide.  Is Debian responsible for these? 

I suggest that Debian's responsibility for the integrity of CDs stops with
the Official CD images.

I take great care to ensure the integrity Debian packages included on my
custom CDs, but in the last analysis the responsibility is mine.  I would
welcome any additional tools to check what I do.

CDs are best viewed as an entity of their own and not an extension of the
Official archive.  Those responsible for the the creation of the Official
discs keep close to the Official archive structure as possible.  However,
debian-cd and boot-floppies are very flexible and coupled with the present
installation tools great and wondrous installation CDs can be built and
used in peculiar ways. The ability to build these specialised CDs is one
of the great strengths of Debian.  People need to be involved in the
Debian CD field to understand what can be done.  Some of the less standard
ways of using CDs have been mentioned in the discussion so far, and there
are many more.  Do not mess with this flexibility. If you do then you are
in danger of destroying one of Debian's great strengths.
  
> > only extends to Official CDs.  The parallel here is some of the rather
> > awful in-house Debian archives, Debian cannot take responsibility for
> > these.  A verification process may be available, but people may choose not
> > to use it. 
> 
> Debian may not be responsible, but it does support them. There is no
> reason they should loose out on verification too. Look at apt-cdrom
> someday, it jumps through an unbelievable number of hoops specifically to
> support non-official CD's that may have not been made according to our
> standards.

So don't do anything to limit any of its present functions.

While the integrity issue for CD images can be solved by signing them, I
recognise that the problem for mirrors is more complex and we have a
solution to hand, great.  What I would like to see is some kind of
mechanism by which I could check my Debian archive using the Release file. 

Have a good Easter. 

Phil.

-
  Philip Charles; 39a Paterson St., Dunedin, New Zealand; +64 3 4882818
Mobile 025 267 9420.  I sell GNU/Linux CDs.   See http://www.copyleft.co.nz
     philipc@copyleft.co.nz - preferred.           philipc@debian.org