Santiago Vila <[EMAIL PROTECTED]> writes: > On Wed, 23 Nov 2005, Goswin von Brederlow wrote: > >> But in the general case it would be nice if apt-get would get the >> file/size/md5sum from a trusted Packages file and then fetch the deb >> from an untrusted source if it matches. > > On Wed, 23 Nov 2005, Andras Korn wrote: > >> [...] if two packages have the same size and md5sum, they can IMO be >> assumed to have the same signatures too. > > Hi. > > I agree with Goswin and Andras here. If sources.list is like this: > > deb file:/local-repository > deb http://official-mirror > > and package "foo" is in both repositories, and it has the same md5sum, > the fact that it's authenticated in http://official-mirror should be > enough to consider it authenticated in file:/local-repository as well. > > In other words, apt's internal logic should be changed: It should be > the md5sum of a package (i.e. "the package itself") what is to be considered > authenticated or not, not the pair "package foo from repository bar". > > Or at least there should be an option for apt to behave in this way. > > It does not make much sense that the user has to fiddle with gpg, keys, > signatures, etc. when everything he wants to do is to have a local > repository which serves as a cache for packages which are already > authenticated by other means. > > Thanks.
Even more so the same logic should apply to Packages and Sources files. My sources.list often looks like this: deb file:/local-mirror sid main contrib non-free deb-src copy:/local-mirror sid main contrib non-free deb http://near-official-mirror sid main contrib non-free deb-src http://near-official-mirror sid main contrib non-free deb http://ftp.debian.org/debian sid main contrib non-free deb-src http://ftp.debian.org/debian sid main contrib non-free It would be real nice if apt-get would only fetch the local Packages/Sources files and see that the near official mirror and ftp.debian.org both have the same metafiles. With pdiff files that would save downloading 24 pdiffs a day and we all know how long they take. With normal files 12 meta files could be skipped on a good day (when local is in sync). MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
