<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - apt repository metadata should use acquire-by-hash"

   href="https://bugs.llvm.org/show_bug.cgi?id=50231">50231</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>apt repository metadata should use acquire-by-hash

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>Packaging

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>deb packages

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>xnox@ubuntu.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>To resolve Hash Sum mismatch errors, it is possible to publish all the metadata

files by their hash; and then indicate in the InRelease file to acquire things

by hash.

That way apt will download InRelease file, check the checksums of files it

wants to fetch inside there and then acquire things from

/by-hash/SHA256/9a27cff7af8578581d9b83485f85e366fff61a1f951c1dc4f33ce1892b50da72

This is very CDN friendly way, as normally /main/binary-amd64/Packages.gz can

be anything really, and served by CDN as the old one.

However, that does not appear to be implemented in reprepro  =````(((((( 

So I guess this will be blocked until

<a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820660">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820660</a> is implemented.

Although there is a patch to make it work

<a href="https://salsa.debian.org/bootc/reprepro/-/merge_requests/1/diffs">https://salsa.debian.org/bootc/reprepro/-/merge_requests/1/diffs</a>

I guess I should salvage reprepro and make it work.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>