Russ Allbery <r...@debian.org> writes: > Lee Winter <lee.j.i.win...@gmail.com> writes: >> On Wed, Sep 16, 2009 at 3:54 PM, Russ Allbery <r...@debian.org> wrote: > >>> There's a one-to-one correspondance between an entry in sources.list >>> and the metadata that apt expects to find in the repository, which in >>> turn is signed. You would have to combine the metadata in order to >>> combine the sources.list lines, which would then require resigning the >>> metadata. > >> OK, this is where it starts to get interesting. I didn't see much more >> than passing references to this in the apt doc. Did I miss it or are >> there other docs that describe the repository structure? Should I be >> looking at the doc about creating packages or for creating releases? > > I'm afraid I have no idea where it might be documented. The above > statement is from experience dealing with apt and various local > repositories rather than taken from documentation. :/ > > Back when I made a foray into writing tools to generate a local repository > and then patching debarchiver, I found it rather difficult to find > coherent documentation of all of the features of the Debian archive layout > and mostly resorted to looking at the Debian archives and reading source > code.
Actualy I might have been wrong about file conflicts between debian and security. I thought the Release and Release.gpg files would collide. But as it turns out the Release(.gpg) files for security are also under updates. So it is possible to combine the two into /dists/lenny/Release /dists/lenny/Release.gpg /dists/lenny/{main,contrib,non-free} /dists/lenny/updates/Release /dists/lenny/updates/Release.gpg /dists/lenny/updates/{main,contrib,non-free} /pool/{main,contrib,non-free} /pool/updates/{main,contrib,non-free} You can probably convince debmirror to do this with the right ignore options. BUT that doesn't really help. You still need: deb http://mirror/debian lenny main contrib non-free deb http://mirror/debian lenny/updates main contrib non-free And if you need 2 lines in sources.list anyway then you might as well use deb http://mirror/debian lenny main contrib non-free deb http://mirror/debian-security lenny/updates main contrib non-free and keep the debmirror calls simpler. Just for information an apt repository is structured like this: deb http://HOST/PATH SUITE DIST [DIST [...]] /PATH/dists/SUITE/Release <- checksums of Packages files /PATH/dists/SUITE/Release.gpg <- signature of above /PATH/dists/SUITE/DIST/binary-ARCH/Packages <- lists debs /PATH/dists/SUITE/DIST/binary-ARCH/Release <- pining infos /PATH/FILENAME <- FILENAME from Packages file or (iirc) deb http://HOST/BASE PATH/ /BASE/PATH/Release <- checksums of Packages files /BASE/PATH/Release.gpg <- signature of above /BASE/PATH/Packages <- lists debs /BASE/FILENAME <- FILENAME from Packages file The later form is not often used and not by Debian. Anything else, from the point of apt, of the archive structure is determined by the contents of the Packages (and Sources) file. MfG Goswin -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org