On Thu, Mar 23, 2006 at 11:14:10PM -0500, Eric Cooper wrote: > In order to support "secure apt" (apt >= 0.6), approx always checks > upstream for Release and Release.gpg files. Otherwise, you might end > up with an inconsistent pair of these (one from your cache, one from > upstream), causing apt's signature verification to fail. (This is > especially likely if you have mixed sarge and etch clients: the sarge > ones only reference the Release files, while the etch ones reference > both Release and Release.gpg, making it much more probable that the > cache would get inconsistent.)
If so, I think it should always fetch both Release and Release.gpg, even if only Release is requested, but not refetch them from upstream if they are not older than "interval". But if one of them is refetched for for some reason, then approx should refetch the other one too. This way we would always have matching Release and Release.gpg, but still allow to keep old Packages file, if the user doesn't need the freshest one, and set's "interval" to something big. -- Miernik _________________________ xmpp:[EMAIL PROTECTED] ___________________/_______________________/ mailto:[EMAIL PROTECTED] Protect Europe from a legal disaster. Petition against software patents http://www.noepatents.org/index_html?LANG=en
pgpl8LVurlJnO.pgp
Description: PGP signature
