search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
29.13k stars 12.01k forks source link

apt repository metadata should use acquire-by-hash #49575

Open 27a6bd5b-21b8-45e2-8fbe-7d9be3058228 opened 3 years ago

27a6bd5b-21b8-45e2-8fbe-7d9be3058228 commented 3 years ago
Bugzilla Link 50231
Version unspecified
OS Linux
CC @sylvestre

Extended Description

To resolve Hash Sum mismatch errors, it is possible to publish all the metadata files by their hash; and then indicate in the InRelease file to acquire things by hash.

That way apt will download InRelease file, check the checksums of files it wants to fetch inside there and then acquire things from /by-hash/SHA256/9a27cff7af8578581d9b83485f85e366fff61a1f951c1dc4f33ce1892b50da72

This is very CDN friendly way, as normally /main/binary-amd64/Packages.gz can be anything really, and served by CDN as the old one.

However, that does not appear to be implemented in reprepro =````((((((

So I guess this will be blocked until https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820660 is implemented. Although there is a patch to make it work https://salsa.debian.org/bootc/reprepro/-/merge_requests/1/diffs

I guess I should salvage reprepro and make it work.

sylvestre commented 3 years ago

it would be terrific if you could :)