Package: release.debian.org Control: affects -1 + src:extrepo-data User: release.debian....@packages.debian.org Usertags: pu Tags: bookworm Severity: normal Subject: bookworm-pu: package extrepo-data/1.0.5 thanks
[making this an official stable update request; for the full backstory, please see the thread starting at https://lists.debian.org/debian-release/2024/03/msg00076.html]] On Thu, Mar 07, 2024 at 07:10:28PM +0100, Thomas Goirand wrote: > On 3/7/24 06:57, Paul Gevers wrote: > > Having said that and not knowing if it doesn't already do that, if > > extrepro would update a cache when online, it's offline option could > > also be refreshed at a convenience moment without the need for an > > up-to-date package in stable. I hope it's needless to say that I don't > > mean that this mechanisme should replace the data package, merely > > complement it. > > It's actually a very good idea to have such cache. Though as you wrote, it > doesn't replace the data package, especially when one wants to use local > mirror, with something like this: > > apt-get install extrepo extrepo-offline-data > extrepo enable --offlinedata --mirror http://mirror.example.com/haproxy To give a bit more background here: extrepo was originally designed to use an online, GPG-signed, metadata repository. When you run an extrepo command and it needs to, extrepo will download the metadata index and the signature on that, and then verify that the signature is correct. All further information that it needs is hashed with a cryptographically secure hash, and so can be assumed to be safe. extrepo provides two things: a (checked and vetted) URI for a repository of external packages, and a (checked and vetted) GPG key that can sign packages in that repository. Accessing the metadata repository in the way described above however requires direct access to that metadata repository, which is complicated for air-gapped systems. While the location of that repository is configurable, and in theory it is possible to write a tool which will download the metadata plus all signatures plus all external files that exist, that seems like quite a bit of work, and Thomas therefore suggested an alternate solution whereby the extrepo metadata is also packaged in Debian. Doing so only requires a person to mirror the repository that they want to enable, and to override the mirror URL by way of the --mirror option passed to extrepo. This way, extrepo will enable the repository on the given mirror, and will ensure that the relevant GPG key for the repository in question is provided to apt, which can still save the user some work of having to manually download and verify the GPG key. The downside here however, is that most repositories are updated to add support for a particular Debian release only after that Debian release has been promoted to stable. This unfortunately reduces the usability of the extrepo-offline-data package, which could be remedied by updating the package in stable. The extrepo-offline-data package, as the name implies, is a data-only package. Apart from the changelog and copyright in /usr/share/doc, it only contains metadata files under /usr/share/extrepo/offline-data. Thanks for your consideration, -- w@uter.{be,co.za} wouter@{grep.be,fosdem.org,debian.org} I will have a Tin-Actinium-Potassium mixture, thanks.