Hi Ansgar, thank you for chiming in!
Quoting Ansgar 🙀 (2025-04-02 21:41:39) > regarding your analysis: I think you could just scan the .changes files as > they list all *.deb files uploaded.> Though very old changes only have MD5 > hashes. > > They can be found in > file://mirror.ftp-master.debian.org/srv/ftp-master.debian.org/queue/done are those the changes files uploading *.debs produced by the buildds? Does that include *.changes files from package builds which only ever affected incoming because there was a new build of the same package before the next dinstall? Looking at those .changes files, it indeed seems that the binNMUs were made by the buildds, so those are not maintainer changes files. > Regarding your observation regarding bash not showing up in any Packages > index: that can happen for (at least) two reasons. The snapshot service does > not retrieve all Packages files. You mean the snapshot service was buggy and forgot to retrieve an arm64 Packages file? Is that likely? Lets have a look: http://snapshot.debian.org/package/bash/5.2.15-2/#bash_5.2.15-2:2b:b3 We have two different copies of bash:arm64=5.2.15-2+b3: 20230713T211109Z until 20230813T092534Z 01ee4cfa3df78e7ff0dc156ff19e2c88 597e85b2fdc7fe9da3f3215030e7c3dead3f464c 828ce0b4445921fff5b6394e74cce8296f3038d559845a3e82435b55ca6fcaa8 http://snapshot.debian.org/archive/debian/20230713T211109Z/pool/main/b/bash/bash/bash_5.2.15-2%2Bb3_arm64.deb 20240331T210805Z until 20240402T025937Z 2f8db1d53e5b2e6292b3c408d55ae5de 1a0b12419b69a983bf22ac1d3d9f8bec725487b1 58000b621cceafd717ed0bf4cb428ba1220c0e1993620bde8ad8a3ccc765780b http://snapshot.debian.org/archive/debian/20240331T210805Z/pool/main/b/bash/bash_5.2.15-2%2Bb3_arm64.deb I had a look at the changes files stored in /srv/ftp-master.debian.org/queue/done/2024/03.tar.xz and indeed there I found 03/31/bash_5.2.15-2+b3_arm64-buildd.changes which is the binNMU to Bookworm. The same tarball contains another changes file for bash from eight hours later called 03/31/bash_5.2.15-2+b7_arm64-buildd.changes. Maybe it is indeed possible that snapshot.d.o skipped the one Packages for Bookworm file that should've contained the former version? > Or the package could have been superseded by a newer version before it was > ever published in a dinstall run. But hashes of packages that were never published by a dinstall should be part of the changes file on coccia, right? That would be really nice! A year of changes files seems to be just around 2.6 GB which is really tiny compared to the data I was processing before. Is this really the silver bullet that solves all my problems with finding these hash collisions? Can I just scp those tar.xz files from coccia to my local box and process them to my heart's content? Is there a catch? Thanks! cheers, josch
signature.asc
Description: signature
