Hi Simon (2025.11.10_16:02:18_+0000)
My understanding is that this is not actually the purpose of
InRelease, although it's a desirable side-effect. Instead, the point
of InRelease is that if the top-level metadata (Release file) is
served in the same file as its signatures and during the same http
transaction, then it cannot possibly be inconsistent, even during a
mirror resync
I could imagine a scheme where signatures are written to separate files
by Release file hash:
by-hash/$(sha512 Release).{gpg,sigstore,*}
That would be two file downloads, but you can have the same guarantee
that the signatures exist before you update the Release files.
Stefano
--
Stefano Rivera
http://tumbleweed.org.za/
+1 415 683 3272
