On Thu, Apr 15, 2010 at 02:44:07PM +0200, Raphael Hertzog wrote:
> On Tue, 23 Mar 2010, Wouter Verhelst wrote:
> > The idea would be to provide a path from a binary on disk to a GPG
> > signature for installed packages of which the user no longer has the
> > .deb file from which it was originally installed, nor the Packages
> > and/or Release.gpg file that was used to download it.
>
> Ok, it looks like a good goal.
Now that snapshot.debian.org is officially deployed (and I can't stop
thanking DSA and the other involved parties for that), let me highlight
another potential advantage of reaching this goal.
snapshot.d.o now has a really nice lookup interface from (SHA1) checksum
to the actual file [1]. So having an easy tool to retrieve the (SHA1)
checksum of a given file installed on disk would make trivial
re-downloading the corresponding .deb even years later (which would be
*awesome*).
[1] http://git.debian.org/?p=mirror/snapshot.debian.org.git;a=blob_plain;f=API;hb=HEAD
Keeping this goal in mind would mean either choosing SHA1 as hash format
or considering the possibility of extending the snapshot.d.o code to
support other hashes (I'm sure that Peter welcome patches :-)).
> As you see there are quite some questions that still need to be cleared up
> and again I think the DEP process would allow us to answer them
> progressively and end up with a clear agreed-upon plan.
Ditto.
Cheers.
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..| . |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
Attachment:
signature.asc
Description: Digital signature