[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mirror problems?

On Tue, 15 Mar 2011, Eduard Bloch wrote:

> #include <hallo.h>
> * Paul Wise [Tue, Mar 15 2011, 08:58:47AM]:
> 
> > What was the reason for adding InRelease anyway?
> 
> I guess (repeating: *guess*) the main reason is that GPG signature needs
> to be verified for the exact file contents. If you put them into two
> files then you have a certain window where they are inconsistent.

Yup.

Another fix would be to list *two* copied of each file's hash in the
(In)Release file.  The checksum of the new Packages (etc.) files and of
the old version.

Apt would then accept either version.

Of course this only makes sense for unstable which updates regularly.
For security we might consider doing it also, but re-issue a new
InRelease a few hours after the first mirror pulse that gets rid of the
old checksums.

For stable we probably wouldn't do that as the key to sign stuff is kept
offline, AIUI, so it becomes impractical.

-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/
Reply to: