Re: effectiveness of rsync and apt
On 5/1/06, Andreas Barth <aba@not.so.argh.org> wrote:
Or you could create the diffdebs before upload or on ftp-master, and
include the diffdebs somehow in the Packages file (so they're signed as
well by the usual mechanismn).
My initial view is that any delta package system that doesn't
reproduce the exact same .debs as downloading the package from scratch
is a non-starter. It opens up the door to all kinds of funky
maintenance questions like "well, did you install from the patch
package, or the real package? was this a bug in the patch package?",
etc... Ideally, package maintainers will never have a reason to care
that delta packages exist.
If you start with the view that the patch system has to produce the
new .deb file in exactly the same form as if you had downloaded the
new package, then you can rely on the existing signing to do the
package verification. Whatever code is working with the patch package
needs to be extra careful, since the patch package is untrusted input.
If the patches are unsigned, the code that uses those packages will
need extra scrutiny.
Regards,
Brian
Reply to: