On Thu, 2019-04-11 at 11:49 +0200, Guido Günther wrote: > E.g. for amd64 and stretch we'd have a file > > http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/.treeinfo > > looking like > > [checksums] > current/images/netboot/mini.iso = sha256:... > current/images/netboot/debian-installer/amd64/initrd.gz = > sha256:... > current/images/netboot/debian-installer/amd64/linux = sha256: ... > > [general] > arch = x86_64 > family = Debian > name = Debian Stretch > version = 9.8.0 > platforms = x86_64 > > [images-x86_64] > boot.iso = current/images/netboot/mini.iso > initrd = current/images/netboot/debian-installer/amd64/initrd.gz > kernel = current/images/netboot/debian-installer/amd64/linux
Given one can list multiple architectures at one place, shouldn't that be https://deb.debian.org/debian/dists/${release}/main/treeinfo or https://deb.debian.org/debian/dists/${release}/treeinfo Users shouldn't have to deal with installer-amd64 or such. "[general]" also seems deprecated (and limited to one arch). Is there any reason why this should be a hidden file? Shouldn't such a file be signed in some way? If for some reason you only want to trust http(s), the canonical location should probably *not* be the regular mirror network, but some different place (at which point anyone could generate these files as well). Ansgar
