On Wed, Nov 24, 2004 at 11:18:44PM +0100, Michael Vogt wrote: > On Wed, Nov 24, 2004 at 04:49:34AM +1000, Anthony Towns wrote: > > Knowing the md5sum of the patches is useful just in case diff has a > > root exploit. > > I'm not sure if I understand this correctly. You think that someone > could sneak in a rogue diff to expolit apt?
ed comes also with 'red', which doesn't allow any execution, just buffer manipulation commands. The subset of ed needed for this application can also be manually reimplemented, it is extremely simple (indexed linewise removals and additions). > > Knowing the date of the resulting Packages file you're going to > > create at each step is useful for debugging -- while you might > > expect daily patches for testing/unstable, they'll come at much more > > irregular intervals for stable or security updates. > > That's indeed usefull. You could make sure the patch files have the same mtime as the resulting packages file, and then on client side, you touch the result towards the date that the http/ftp protocol tells you the patch file is -- just as with size, also date can be transferred via the protocol. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] http://jeroen.A-Eskwadraat.nl
