[llvm-bugs] [Bug 50231] New: apt repository metadata should use acquire-by-hash

Wed May 5 10:39:48 PDT 2021

https://bugs.llvm.org/show_bug.cgi?id=50231

            Bug ID: 50231
           Summary: apt repository metadata should use acquire-by-hash
           Product: Packaging
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: deb packages
          Assignee: unassignedbugs at nondot.org
          Reporter: xnox at ubuntu.com
                CC: llvm-bugs at lists.llvm.org

To resolve Hash Sum mismatch errors, it is possible to publish all the metadata
files by their hash; and then indicate in the InRelease file to acquire things
by hash.

That way apt will download InRelease file, check the checksums of files it
wants to fetch inside there and then acquire things from
/by-hash/SHA256/9a27cff7af8578581d9b83485f85e366fff61a1f951c1dc4f33ce1892b50da72

This is very CDN friendly way, as normally /main/binary-amd64/Packages.gz can
be anything really, and served by CDN as the old one.

However, that does not appear to be implemented in reprepro  =````(((((( 

So I guess this will be blocked until
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820660 is implemented.
Although there is a patch to make it work
https://salsa.debian.org/bootc/reprepro/-/merge_requests/1/diffs

I guess I should salvage reprepro and make it work.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210505/a576620e/attachment-0001.html>