[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] Need old Packages.gz and Release Files

Michelle Konzack <linux4michelle@freenet.de> writes:

> Am 2008-04-25 16:07:51, schrieb Stefano Zacchiroli:
>> You are asking generically Packages without specifying a mirror. Are
>> they granted to be identically replicated among all mirrors?  Of course
>> they *probably* are due to how mirroring works, but is it *granted* that
>> there are no differences among mirrors?
>> Would such difference inhibit proper installation due to the apt-secure
>> stuff?

They have to be identical accross all mirrors.

Release.gpg safeguards Release
Release safeguards Packages.gz
Packages.gz safeguards foo_ver_arch.deb

If any checksum check along that line fails apt will complain.

And nobody can create the Release.gpg unless they have the key from
ftp-master. Somebody elses key won't be in apts keyring unless this is

> If you have for example the ORIGINAL CDs/DVD's of 3.1r4 I can build  the
> package tree from there since I have all original packages I only do not
> know which packages went included in the releases...

Did anyone mention http://archive.debian.org/README yet?

> And yes, there is a problem with the signed release files, but  since  I
> can check my packages agains packages on <archive.debian.net> I am sure,
> I have the right an unaltered ones.
> And IF I recreate the packages.gz/Sources.gz, I sign it with MY key  and
> you CAN trust it or not...
> And of course, you can pull down a couple of packages/files  out  of  my
> several million (nearly 20 TByte or ninety SCSI  300 GByte  drives)  and
> check it against packages/files from <archive.debian.net>...  :-)

If you get the Packages.gz, Release and Release.gpg files from a
CD/DVD set then you can verify them individually with the debian
archive key from that time and then merge them into a full list and
sign with your own key. You don't have to download anything from
archive.debian.net if you have those index file.


Reply to: