Michelle Konzack <[EMAIL PROTECTED]> writes: > Am 2008-04-25 16:07:51, schrieb Stefano Zacchiroli: >> You are asking generically Packages without specifying a mirror. Are >> they granted to be identically replicated among all mirrors? Of course >> they *probably* are due to how mirroring works, but is it *granted* that >> there are no differences among mirrors? >> >> Would such difference inhibit proper installation due to the apt-secure >> stuff?
They have to be identical accross all mirrors. Release.gpg safeguards Release Release safeguards Packages.gz Packages.gz safeguards foo_ver_arch.deb If any checksum check along that line fails apt will complain. And nobody can create the Release.gpg unless they have the key from ftp-master. Somebody elses key won't be in apts keyring unless this is intentionally. > If you have for example the ORIGINAL CDs/DVD's of 3.1r4 I can build the > package tree from there since I have all original packages I only do not > know which packages went included in the releases... Did anyone mention http://archive.debian.org/README yet? > And yes, there is a problem with the signed release files, but since I > can check my packages agains packages on <archive.debian.net> I am sure, > I have the right an unaltered ones. > > And IF I recreate the packages.gz/Sources.gz, I sign it with MY key and > you CAN trust it or not... > > And of course, you can pull down a couple of packages/files out of my > several million (nearly 20 TByte or ninety SCSI 300 GByte drives) and > check it against packages/files from <archive.debian.net>... :-) If you get the Packages.gz, Release and Release.gpg files from a CD/DVD set then you can verify them individually with the debian archive key from that time and then merge them into a full list and sign with your own key. You don't have to download anything from archive.debian.net if you have those index file. MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
