Re: [OT] Need old Packages.gz and Release Files
Michelle Konzack <linux4michelle@freenet.de> writes:
> Am 2008-04-25 16:07:51, schrieb Stefano Zacchiroli:
>> You are asking generically Packages without specifying a mirror. Are
>> they granted to be identically replicated among all mirrors? Of course
>> they *probably* are due to how mirroring works, but is it *granted* that
>> there are no differences among mirrors?
>>
>> Would such difference inhibit proper installation due to the apt-secure
>> stuff?
They have to be identical accross all mirrors.
Release.gpg safeguards Release
Release safeguards Packages.gz
Packages.gz safeguards foo_ver_arch.deb
If any checksum check along that line fails apt will complain.
And nobody can create the Release.gpg unless they have the key from
ftp-master. Somebody elses key won't be in apts keyring unless this is
intentionally.
> If you have for example the ORIGINAL CDs/DVD's of 3.1r4 I can build the
> package tree from there since I have all original packages I only do not
> know which packages went included in the releases...
Did anyone mention http://archive.debian.org/README yet?
> And yes, there is a problem with the signed release files, but since I
> can check my packages agains packages on <archive.debian.net> I am sure,
> I have the right an unaltered ones.
>
> And IF I recreate the packages.gz/Sources.gz, I sign it with MY key and
> you CAN trust it or not...
>
> And of course, you can pull down a couple of packages/files out of my
> several million (nearly 20 TByte or ninety SCSI 300 GByte drives) and
> check it against packages/files from <archive.debian.net>... :-)
If you get the Packages.gz, Release and Release.gpg files from a
CD/DVD set then you can verify them individually with the debian
archive key from that time and then merge them into a full list and
sign with your own key. You don't have to download anything from
archive.debian.net if you have those index file.
MfG
Goswin
Reply to: