Stefano Rivera <[email protected]> writes: > Hi Simon (2025.11.10_16:02:18_+0000) >> My understanding is that this is not actually the purpose of >> InRelease, although it's a desirable side-effect. Instead, the point >> of InRelease is that if the top-level metadata (Release file) is >> served in the same file as its signatures and during the same http >> transaction, then it cannot possibly be inconsistent, even during a >> mirror resync > > I could imagine a scheme where signatures are written to separate > files by Release file hash: > > by-hash/$(sha512 Release).{gpg,sigstore,*} > > That would be two file downloads, but you can have the same guarantee > that the signatures exist before you update the Release files.
Good point, although let me suggest to use a scheme that embeds the date from within the Release file as well, to have better sort order. That is actually what I already implement in my Git-LFS mirror of Debian: Top-level Release and Release.gpg files are symlinks to by-date-sha256: https://gitlab.com/debdistutils/dists/debian/-/tree/main/dists/trixie?ref_type=heads For example https://gitlab.com/debdistutils/dists/debian/-/blob/main/dists/trixie/Release?ref_type=heads and https://gitlab.com/debdistutils/dists/debian/-/blob/main/dists/trixie/Release.gpg?ref_type=heads contains the links by-date-sha256/2025-09-06T09.42.55Z-7b0a29677613ece3d32f71e7396702f637eb9e26ca35e378406130786679e959/Release and by-date-sha256/2025-09-06T09.42.55Z-7b0a29677613ece3d32f71e7396702f637eb9e26ca35e378406130786679e959/Release.gpg respectively, and the directory has a useful sort-order: https://gitlab.com/debdistutils/dists/debian/-/tree/main/dists/trixie/by-date-sha256?ref_type=heads I used a sub-directory but that isn't really needed, your approach is more efficient. Still, this introduce latency: 1) retrieve Release file 2) retrieve Release.sigstore or Release.gpg file It would be nice to avoid that added latency. That's what I like about using the InRelease file for this. There is also one less error case to worry about: what to do if there is a Release file but transfer errors of the by-*/123123... file? The logic has to withstands attacker causing failures on that file too. /Simon
signature.asc
Description: PGP signature
