[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-security
Subject:    Re: Compatibility of security mirror
From:       Goswin von Brederlow <goswin-v-b () web ! de>
Date:       2009-09-23 8:08:15
Message-ID: 87skeeytg0.fsf () frosties ! localdomain
[Download RAW message or body]

Russ Allbery <rra@debian.org> writes:

> Lee Winter <lee.j.i.winter@gmail.com> writes:
>> On Wed, Sep 16, 2009 at 3:54 PM, Russ Allbery <rra@debian.org> wrote:
>
>>> There's a one-to-one correspondance between an entry in sources.list
>>> and the metadata that apt expects to find in the repository, which in
>>> turn is signed.  You would have to combine the metadata in order to
>>> combine the sources.list lines, which would then require resigning the
>>> metadata.
>
>> OK, this is where it starts to get interesting.  I didn't see much more
>> than passing references to this in the apt doc.  Did I miss it or are
>> there other docs that describe the repository structure?  Should I be
>> looking at the doc about creating packages or for creating releases?
>
> I'm afraid I have no idea where it might be documented.  The above
> statement is from experience dealing with apt and various local
> repositories rather than taken from documentation.  :/
>
> Back when I made a foray into writing tools to generate a local repository
> and then patching debarchiver, I found it rather difficult to find
> coherent documentation of all of the features of the Debian archive layout
> and mostly resorted to looking at the Debian archives and reading source
> code.

Actualy I might have been wrong about file conflicts between debian
and security. I thought the Release and Release.gpg files would
collide. But as it turns out the Release(.gpg) files for security are
also under updates.

So it is possible to combine the two into

/dists/lenny/Release
/dists/lenny/Release.gpg
/dists/lenny/{main,contrib,non-free}
/dists/lenny/updates/Release
/dists/lenny/updates/Release.gpg
/dists/lenny/updates/{main,contrib,non-free}
/pool/{main,contrib,non-free}
/pool/updates/{main,contrib,non-free}

You can probably convince debmirror to do this with the right ignore
options.

BUT that doesn't really help. You still need:

deb http://mirror/debian lenny main contrib non-free
deb http://mirror/debian lenny/updates main contrib non-free

And if you need 2 lines in sources.list anyway then you might as well
use

deb http://mirror/debian lenny main contrib non-free
deb http://mirror/debian-security lenny/updates main contrib non-free

and keep the debmirror calls simpler.



Just for information an apt repository is structured like this:

deb http://HOST/PATH SUITE DIST [DIST [...]]

/PATH/dists/SUITE/Release                   <- checksums of Packages files
/PATH/dists/SUITE/Release.gpg               <- signature of above
/PATH/dists/SUITE/DIST/binary-ARCH/Packages <- lists debs
/PATH/dists/SUITE/DIST/binary-ARCH/Release  <- pining infos
/PATH/FILENAME                              <- FILENAME from Packages file

or (iirc)

deb http://HOST/BASE PATH/

/BASE/PATH/Release                   <- checksums of Packages files
/BASE/PATH/Release.gpg               <- signature of above
/BASE/PATH/Packages                  <- lists debs
/BASE/FILENAME                       <- FILENAME from Packages file

The later form is not often used and not by Debian. Anything else,
from the point of apt, of the archive structure is determined by the
contents of the Packages (and Sources) file.

MfG
        Goswin


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

[prev in list] [next in list] [prev in thread] [next in thread]