On Wed, May 18 2016, Julian Andres Klode <j...@debian.org> wrote: > On Wed, May 18, 2016 at 01:59:22PM +0200, A Mennucc1 wrote: >> But keep in mind that debdelta is integrated in 'cupt' that is another >> package manager, similar to 'aptitude'.
The main selling point of aptitude for me is the sophisticated curses interface and it's preview. I wouldn't bother using aptitude if it wasn't for it's TUI (in fact, I use apt-get directly in other scenarios). > 1. An index of all deltas (probably per-arch) with checksums for them > (basically that's old hash, new hash, delta hash, and size. hashes > should be SHA256 or SHA512). Preferably also Package, Version, > Old-Version, Architecture fields. > 2. A release file signing the index Do we need all of those? A reconstructed package is byte-for-byte identical to the package already in the pool. We can verify the authenticity using the original archive signature before installing it. I don't know if debdelta has already delta checksums themselves (mainly to prevent corruption over transfer). Please correct me if I'm wrong. > We want to have that for security reasons (we do not > want to trust unsigned data), and of course for progress display > (we need to know how many files to fetch and how large they are). This should also be already available. > I'm still not sure if debdelta is the right approach, or if we can > come up with something faster. Downloading deltas is a CPU/space tradeoff. Over a fast link, rebuilding the package with the delta is going to take longer than simply redownloading it in full. Which is the main reason we need a controllable switch in the frontend.