Re: unsigned repositories

To: debian-devel@lists.debian.org
Subject: Re: unsigned repositories
From: Johannes Schauer <josch@debian.org>
Date: Mon, 05 Aug 2019 11:10:27 +0200
Message-id: <[🔎] 156499622757.30059.2860026927231345810@hoothoot>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20190805080909.3tv7ox6fbjxbed4r@crossbow>
References: <20190714000345.GA16815@debian.org> <20190709204321.GA10923@debian.org> <Pine.BSM.4.64L.1907290009490.20231@herc.mirbsd.org> <20190729070147.GA27841@espresso.pseudorandom.co.uk> <156439042551.30059.3521649544199953386@hoothoot> <[🔎] 20190805080909.3tv7ox6fbjxbed4r@crossbow>

Hi,

Quoting David Kalnischkies (2019-08-05 10:09:09)
> So far all usecases mentioned here seem to be local repositories though.
> Nobody seems to be pulling unsigned repositories over the network [for good
> reasons]. So perhaps we can agree on dropping support for unsigned
> repositories for everything expect copy/file sources?

This would work for sbuild.

> The other thing is repositories without a Release file, which seems to be
> something used (legally) by the same class of repositories only, too.  That
> is in my opinion the more useful drop as the logic to decide if a file can be
> acquired with(out) hashes or not is very annoying and would probably benefit
> a lot from an "if not-local: return must-hashes"

>From the sbuild perspective it would be nice not having to generate the hashes
anymore which we need to create a Release file for the local repository. But
sbuild could only implement this feature once even apt in oldstable supports
it. By that time there are probably more interesting ways for sbuild to satisfy
the dependencies it generates (see below).

> What is it what you need? Sure, a local repository works, but that sounds
> painful and clunky to setup and like a workaround already, so in effect you
> don't like it and we don't like it either, it just happens to work so-so for
> both of us for the time being.

Yes, it would be nice not having to set up that local repository and just ask
apt to satisfy the dependencies we generate. But again, any feature of apt we
use must also be available in oldstable.

> > Yes. In sbuild we also cannot use other apt features like "apt-get
> > build-dep" because sbuild allows one to mangle the build dependencies, so
> > it works with dummy packages. So sbuild will have to keep creating its own
> > repository.
> Julian did "apt satisfy" recently and build-dep supports dsc files as input,
> so naively speaking, could sbuild just write a dsc file the same way it is
> now writing a Sources file? Also, --with-source actually allows to add
> Packages/Sources files as well, I use them for simulations only, but in
> theory they should work "for real", too.

Yes, that's all great! Now we just have to wait a couple of releases until
oldstable supports these features. Until then, please don't break what we
currently use without an alternative that *also* works well on oldstable.

Thanks!

cheers, josch

Attachment: signature.asc
Description: signature

Reply to:

References:
- Re: unsigned repositories
  - From: David Kalnischkies <david@kalnischkies.de>

Prev by Date: Re: unsigned repositories
Next by Date: Re: unsigned repositories
Previous by thread: Re: unsigned repositories
Next by thread: Re: unsigned repositories
Index(es):
- Date
- Thread