Package: apt Version: 1.3.1 Control: block 848193 by -1 Dear apt maintainers:
I would like a way to get the [In]Release file corresponding to the source from which apt got (or, I guess, would install) a particular package. I can use `apt-cache madison' to find the archive URL and the locations within that archive. The [In]Release file has a predictable filename (derived from the URL) in the apt cache. May I fish the [In]]Release file out of the apt cache ? Things I want to avoid include: * Breaking if apt changes the cache layout. How likely is this ? Relying on the cache url->filename mangling seems a bit rude. * Consuming a file whose signature has not been verified by apt. That would be a vulnerability. * Becoming confused if there are both Release and InRelease files. I guess I can just use InRelease if I find both ? * Implementing my own signature verification, resulting in the possibility that my set of approved public keys or my verification criteria might differ from apt's. Do you have advice for me ? If there is not currently a good way of getting this information (which there may not be) then please take this wishlist bug as a request for a way to get it. Also, in that case, please let me know whether it would be bad of me to implement my approach as described above, in the meantime. Thanks for any help you can provide. Regards, Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
