Package: snapshot.debian.org Severity: wishlist Hi,
given a versioned list of binary packages, it would be useful to be able to reconstruct the Debian suite (stable/testing/unstable) and one timestamp that all these packages are a part of. This would be useful for: - checking the integrity of a third party chroot environment or disk image or vm/docker image [1] - reproducing builds using information from a buildinfo file [2] [1] http://joeyh.name/blog/entry/docker_run_debian/ [2] https://wiki.debian.org/ReproducibleBuilds#Status The snapshot.d.o API currently allows downloading binary packages by using calls to /mr/package/${srcpkg}/${srcver}/binfiles/${binpkg}/${binver}?fileinfo=1 and debsnap(1) is a nice way to automate this, but those downloads are not verified through the GPG signature of a Release file which in turn verifies the hash of a Packages file that this binary package is part of. If I understand the API correctly, then currently, the only way to retrieve a Release file and Packages file containing the wanted package is to look at the "first_seen" parameter of above API response and then try out all suits of this timestamp until a Packages file with the wanted binary package is found. Am I correct in concluding that currently this is the best/only way to verify a binary package download from snapshot.debian.org? If yes, could this be improved by adding the containing suites to the result of above API call? Maybe as an optional additional information? Thanks! cheers, josch -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org