Bug#128818: [patch] packages.gz diff support for apt
On Wed, Nov 24, 2004 at 11:18:44PM +0100, Michael Vogt wrote:
> On Wed, Nov 24, 2004 at 04:49:34AM +1000, Anthony Towns wrote:
> > Knowing the md5sum of the patches is useful just in case diff has a
> > root exploit.
>
> I'm not sure if I understand this correctly. You think that someone
> could sneak in a rogue diff to expolit apt?
ed comes also with 'red', which doesn't allow any execution, just buffer
manipulation commands. The subset of ed needed for this application can
also be manually reimplemented, it is extremely simple (indexed linewise
removals and additions).
> > Knowing the date of the resulting Packages file you're going to
> > create at each step is useful for debugging -- while you might
> > expect daily patches for testing/unstable, they'll come at much more
> > irregular intervals for stable or security updates.
>
> That's indeed usefull.
You could make sure the patch files have the same mtime as the resulting
packages file, and then on client side, you touch the result towards the
date that the http/ftp protocol tells you the patch file is -- just as
with size, also date can be transferred via the protocol.
--Jeroen
--
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl
Reply to: