On 4/12/25 18:13, Julian Andres Klode wrote:
it is just confusing/irritating that Packages has to exist, even though nothing ever downloads it.Control: severity -1 wishlist A Release file always needs to list the decompressed file otherwise the file cannot be verified for correctness post extraction. The uncompressed file doesn't need to exist for that. This is documented in the repository format specification
OK, that makes sense.I thought/hoped apt could validate the sha512 + length of Packages.zst *before* decompression, and therefore wouldn't need to also validate the sha512 + length of Packages *after* decompression.
But if it did that and then made a mistake (checking neither in some edge case scenario), the impact would be high.
So I think the existing behaviour (always checking the uncompressed sum+length) is reasonable.