Bug#774279: marked as done (snapshot.debian.org: please make it easier to find the timestamp/suite for a given list of packages)

To: Johannes Schauer <j.schauer@email.de>
Subject: Bug#774279: marked as done (snapshot.debian.org: please make it easier to find the timestamp/suite for a given list of packages)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 01 Jan 2015 17:57:05 +0000
Message-id: <[🔎] handler.774279.D774279.142013483229229.ackdone@bugs.debian.org>
References: <20150101175343.18310.81447@hoothoot> <20141231091036.23178.87368.reportbug@hoothoot>

Your message dated Thu, 01 Jan 2015 18:53:43 +0100
with message-id <20150101175343.18310.81447@hoothoot>
and subject line Re: snapshot.debian.org: please make it easier to find the timestamp/suite for a given list of packages
has caused the Debian Bug report #774279,
regarding snapshot.debian.org: please make it easier to find the timestamp/suite for a given list of packages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774279: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774279
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: snapshot.debian.org: please make it easier to find the timestamp/suite for a given list of packages
From: Johannes Schauer <j.schauer@email.de>
Date: Wed, 31 Dec 2014 10:10:36 +0100
Message-id: <20141231091036.23178.87368.reportbug@hoothoot>

Package: snapshot.debian.org
Severity: wishlist

Hi,

given a versioned list of binary packages, it would be useful to be able
to reconstruct the Debian suite (stable/testing/unstable) and one
timestamp that all these packages are a part of.

This would be useful for:

 - checking the integrity of a third party chroot environment or disk
   image or vm/docker image [1]
 - reproducing builds using information from a buildinfo file [2]

[1] http://joeyh.name/blog/entry/docker_run_debian/
[2] https://wiki.debian.org/ReproducibleBuilds#Status

The snapshot.d.o API currently allows downloading binary packages by
using calls to
/mr/package/${srcpkg}/${srcver}/binfiles/${binpkg}/${binver}?fileinfo=1
and debsnap(1) is a nice way to automate this, but those downloads are
not verified through the GPG signature of a Release file which in turn
verifies the hash of a Packages file that this binary package is part
of.

If I understand the API correctly, then currently, the only way to
retrieve a Release file and Packages file containing the wanted package
is to look at the "first_seen" parameter of above API response and then
try out all suits of this timestamp until a Packages file with the
wanted binary package is found.

Am I correct in concluding that currently this is the best/only way to
verify a binary package download from snapshot.debian.org?

If yes, could this be improved by adding the containing suites to the
result of above API call? Maybe as an optional additional information?

Thanks!

cheers, josch

--- End Message ---

--- Begin Message ---

To: 774279-done@bugs.debian.org
Subject: Re: snapshot.debian.org: please make it easier to find the timestamp/suite for a given list of packages
From: Johannes Schauer <j.schauer@email.de>
Date: Thu, 01 Jan 2015 18:53:43 +0100
Message-id: <20150101175343.18310.81447@hoothoot>
In-reply-to: <20141231091036.23178.87368.reportbug@hoothoot>
References: <20141231091036.23178.87368.reportbug@hoothoot>

It was agreed that the new api function
/mr/binary/${pkgname}/${version}/binfiles is sufficient for now. Thus, closing.

This bug was discussed on IRC. Here is a summary:

 - snapshot.d.o does not know anything about suites. Implementing such support
   would require quite some effort
 - while it is possible to create an API request that takes more than one
   package as an argument and return an aggregated result, the current API
   interface format (hierarchical, separated by slashes) does not provide an
   obvious way to encode a list of packages
 - sometimes a single snapshot will not suffice as buildds are only updated
   once in a while, so the result would contain multiple suites
 - currently, two API calls are made per binary package by debsnap(1) and a
   script figuring out a sid snapshot (see either [1] or [2]). The first is to
   figure out the source package name which is necessary for the second call.
 - a new api function was added by Peter Palfrader which allows to lookup the
   necessary information (last_seen) with only the binary package name and
   version, halving the amount of necessary queries
 - another way to solve this, is by bisecting Packages files of different
   timestamps but this requires a fast downlink by the client

To allow all information to be retrieved in a single request would require a
good way to formulate a list of versioned package names which is consistent
with the rest of the interface.

Thanks!

cheers, josch

[1] http://people.debian.org/~paulproteus/lunar-verify-script.rb
[2] https://github.com/josch/buildinfo2snapshot/blob/master/buildinfo2snapshot.py

--- End Message ---

Reply to:

Prev by Date: [snapshot/master] Implement /mr/binary/<binpkg>/<binversion>/binfiles
Previous by thread: [snapshot/master] Implement /mr/binary/<binpkg>/<binversion>/binfiles
Index(es):
- Date
- Thread