On Tue, 15 Mar 2011, Eduard Bloch wrote: > #include <hallo.h> > * Paul Wise [Tue, Mar 15 2011, 08:58:47AM]: > > > What was the reason for adding InRelease anyway? > > I guess (repeating: *guess*) the main reason is that GPG signature needs > to be verified for the exact file contents. If you put them into two > files then you have a certain window where they are inconsistent.
Yup. Another fix would be to list *two* copied of each file's hash in the (In)Release file. The checksum of the new Packages (etc.) files and of the old version. Apt would then accept either version. Of course this only makes sense for unstable which updates regularly. For security we might consider doing it also, but re-issue a new InRelease a few hours after the first mirror pulse that gets rid of the old checksums. For stable we probably wouldn't do that as the key to sign stuff is kept offline, AIUI, so it becomes impractical. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110315093629.gk9...@anguilla.noreply.org