Your message dated Thu, 01 Jan 2015 18:53:43 +0100 with message-id <20150101175343.18310.81447@hoothoot> and subject line Re: snapshot.debian.org: please make it easier to find the timestamp/suite for a given list of packages has caused the Debian Bug report #774279, regarding snapshot.debian.org: please make it easier to find the timestamp/suite for a given list of packages to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 774279: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774279 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: snapshot.debian.org Severity: wishlist Hi, given a versioned list of binary packages, it would be useful to be able to reconstruct the Debian suite (stable/testing/unstable) and one timestamp that all these packages are a part of. This would be useful for: - checking the integrity of a third party chroot environment or disk image or vm/docker image [1] - reproducing builds using information from a buildinfo file [2] [1] http://joeyh.name/blog/entry/docker_run_debian/ [2] https://wiki.debian.org/ReproducibleBuilds#Status The snapshot.d.o API currently allows downloading binary packages by using calls to /mr/package/${srcpkg}/${srcver}/binfiles/${binpkg}/${binver}?fileinfo=1 and debsnap(1) is a nice way to automate this, but those downloads are not verified through the GPG signature of a Release file which in turn verifies the hash of a Packages file that this binary package is part of. If I understand the API correctly, then currently, the only way to retrieve a Release file and Packages file containing the wanted package is to look at the "first_seen" parameter of above API response and then try out all suits of this timestamp until a Packages file with the wanted binary package is found. Am I correct in concluding that currently this is the best/only way to verify a binary package download from snapshot.debian.org? If yes, could this be improved by adding the containing suites to the result of above API call? Maybe as an optional additional information? Thanks! cheers, josch
--- End Message ---
--- Begin Message ---It was agreed that the new api function /mr/binary/${pkgname}/${version}/binfiles is sufficient for now. Thus, closing. This bug was discussed on IRC. Here is a summary: - snapshot.d.o does not know anything about suites. Implementing such support would require quite some effort - while it is possible to create an API request that takes more than one package as an argument and return an aggregated result, the current API interface format (hierarchical, separated by slashes) does not provide an obvious way to encode a list of packages - sometimes a single snapshot will not suffice as buildds are only updated once in a while, so the result would contain multiple suites - currently, two API calls are made per binary package by debsnap(1) and a script figuring out a sid snapshot (see either [1] or [2]). The first is to figure out the source package name which is necessary for the second call. - a new api function was added by Peter Palfrader which allows to lookup the necessary information (last_seen) with only the binary package name and version, halving the amount of necessary queries - another way to solve this, is by bisecting Packages files of different timestamps but this requires a fast downlink by the client To allow all information to be retrieved in a single request would require a good way to formulate a list of versioned package names which is consistent with the rest of the interface. Thanks! cheers, josch [1] http://people.debian.org/~paulproteus/lunar-verify-script.rb [2] https://github.com/josch/buildinfo2snapshot/blob/master/buildinfo2snapshot.py
--- End Message ---
