Re: [RFH] The need for signed packages and signed Releases (long, long)
On Thu, Nov 14, 2002 at 06:40:51PM +0700, Robert Lemmen wrote:
> which leaves the second part.
[which was using the timestamp and making sure you work out what is "too
old"]
This is easy for testing and unstable -- anything more than a few days
old, and you've got reason to be worried. For stable it's not so easy
-- not only do we not do regular updates, but people buy it on CD and
might legitimately be missing out on updates. For security it's likewise
difficult -- updates are done irregularly, when we find security problems.
The current script addresses this by printing out the date and letting
the user decide, other things are possible, but it's not clear what's a
good idea. We *don't* change stable releases except at point updates,
not even in trivial things like updating timestamps. I don't really thing
that's a good thing to change.
It's possible the best idea would be to have a separate timestamp file in
dists/, that looks something like:
Timestamp: Fri, 15 Nov 2002 04:16:30 UTC
Distribution: Debian2.2r7
Aliases: potato, oldstable
Last-Update: Fri, 12 Jul 2002 16:16:28 UTC
Distribution: Debian3.0r0
Aliases: woody, stable
Last-Update: Fri, 19 Jul 2002 19:03:33 UTC
Distribution: sarge
Aliases: testing
Last-Update: Thu, 14 Nov 2002 20:43:23 UTC
Distribution: sid
Aliases: unstable
Last-Update: Thu, 14 Nov 2002 20:43:42 UTC
This file would have to be signed too; if it was invalid, you could use
the dates in the Release file and optionally continue anyway though.
> but it should be much easier to train apt to do that then train every
> single user to do so.
apt-get source apt; vi...
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``If you don't do it now, you'll be one year older when you do.''
Reply to: