I have been working for a while on a tool for automatically merging downstream
changes with new packages from Debian .
One annoyance with the tool as it stands at the moment is that when adding a new package
to the list of packages to be processed the user must often manually obtain the dsc for
the "base version" their local package was based on. I would like to add the
option to automatically retrieve this from snapshot.debian.org
Unfortunately there doesn't seem to be a good way to securely retrive a dsc
from snapshot.debian.org given a package name and version number.
Debian dsc files are signed but those signatures are severely problematic for
any sort of automated verification. The set of allowed keys is constantly
changing, some of the keys used to sign dscs may not be keys authorised for
unlimited uploads to the Debian archive, the keys may be used to sign dscs not
intended for upload to Debian and so-on.
The other verification option seems to be to use the signature on the "Release" file to verify the
"Sources" file and then use the "Sources" file to verify the dsc but there are
difficulties here too.
1. The snapshot.debian.org api doesn't seem to provide any information about
which suites a source package was seen in.
2. The Sources files are rather large, this is made worse if I have to use a
brute-force approach to find the correct one.
Am I overlooking a better way of securely retreiving old source packages?
Has anyone attempted to implement a tool that performs verified downloads of
source packages from snapshot.debian.org ?
vcs-pkg-discuss mailing list