Bug#774279: snapshot.debian.org: please make it easier to find the timestamp/suite for a given list of packages
Package: snapshot.debian.org
Severity: wishlist
Hi,
given a versioned list of binary packages, it would be useful to be able
to reconstruct the Debian suite (stable/testing/unstable) and one
timestamp that all these packages are a part of.
This would be useful for:
- checking the integrity of a third party chroot environment or disk
image or vm/docker image [1]
- reproducing builds using information from a buildinfo file [2]
[1] http://joeyh.name/blog/entry/docker_run_debian/
[2] https://wiki.debian.org/ReproducibleBuilds#Status
The snapshot.d.o API currently allows downloading binary packages by
using calls to
/mr/package/${srcpkg}/${srcver}/binfiles/${binpkg}/${binver}?fileinfo=1
and debsnap(1) is a nice way to automate this, but those downloads are
not verified through the GPG signature of a Release file which in turn
verifies the hash of a Packages file that this binary package is part
of.
If I understand the API correctly, then currently, the only way to
retrieve a Release file and Packages file containing the wanted package
is to look at the "first_seen" parameter of above API response and then
try out all suits of this timestamp until a Packages file with the
wanted binary package is found.
Am I correct in concluding that currently this is the best/only way to
verify a binary package download from snapshot.debian.org?
If yes, could this be improved by adding the containing suites to the
result of above API call? Maybe as an optional additional information?
Thanks!
cheers, josch
Reply to: