I have been working for a while on a tool for automatically merging downstream 
changes with new packages from Debian [1].

One annoyance with the tool as it stands at the moment is that when adding a new package 
to the list of packages to be processed the user must often manually obtain the dsc for 
the "base version" their local package was based on. I would like to add the 
option to automatically retrieve this from snapshot.debian.org

Unfortunately there doesn't seem to be a good way to securely retrive a dsc 
from snapshot.debian.org given a package name and version number.

Debian dsc files are signed but those signatures are severely problematic for 
any sort of automated verification. The set of allowed keys is constantly 
changing, some of the keys used to sign dscs may not be keys authorised for 
unlimited uploads to the Debian archive, the keys may be used to sign dscs not 
intended for upload to Debian and so-on.

The other verification option seems to be to use the signature on the "Release" file to verify the 
"Sources" file and then use the "Sources" file to verify the dsc but there are 
difficulties here too.

1. The snapshot.debian.org api doesn't seem to provide any information about 
which suites a source package was seen in.
2. The Sources files are rather large, this is made worse if I have to use a 
brute-force approach to find the correct one.

Am I overlooking a better way of securely retreiving old source packages?

Has anyone attempted to implement a tool that performs verified downloads of 
source packages from snapshot.debian.org ?

[1] https://github.com/plugwash/autoforwardportergit

vcs-pkg-discuss mailing list

Reply via email to