Michael S Gilbert wrote:
> you could host just the hashes for the external files (signed with
> your key) on your site. then you wouldn't have to duplicate
> upstream's data files nor spend (much) of your own bandwidth (since
> the hash files should be fairly small in most cases).
>
> or maybe there could be a hash.debian.org or a project on alioth to
> centralize the hashes?
At least for the geoip package, there's no need for a DD to take the binaries
from upstream, and sign so that the package can validate it upon download.
Geoip upstream provides the source of these binary databases, so all we need
to do is find a consistent and reliable way to get new database updates, built
from source by debian and propagated through the usual apt repositories. This
looks like a good candidate for volatile/backports. Looks like this method
works well for clamav-data and other similar packages which needs to update
databases frequently on stable/oldstable.
Regards,
Tom Feiner
Attachment:
signature.asc
Description: OpenPGP digital signature