Package: release.debian.org
Control: affects -1 + src:extrepo-data
User: ***@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
Subject: bookworm-pu: package extrepo-data/1.0.5
thanks
[making this an official stable update request; for the full backstory,
please see the thread starting at
https://lists.debian.org/debian-release/2024/03/msg00076.html]]
Post by Paul GeversHaving said that and not knowing if it doesn't already do that, if
extrepro would update a cache when online, it's offline option could
also be refreshed at a convenience moment without the need for an
up-to-date package in stable. I hope it's needless to say that I don't
mean that this mechanisme should replace the data package, merely
complement it.
It's actually a very good idea to have such cache. Though as you wrote, it
doesn't replace the data package, especially when one wants to use local
apt-get install extrepo extrepo-offline-data
extrepo enable --offlinedata --mirror http://mirror.example.com/haproxy
To give a bit more background here:
extrepo was originally designed to use an online, GPG-signed, metadata
repository. When you run an extrepo command and it needs to, extrepo
will download the metadata index and the signature on that, and then
verify that the signature is correct. All further information that it
needs is hashed with a cryptographically secure hash, and so can be
assumed to be safe.
extrepo provides two things: a (checked and vetted) URI for a repository
of external packages, and a (checked and vetted) GPG key that can sign
packages in that repository.
Accessing the metadata repository in the way described above however
requires direct access to that metadata repository, which is complicated
for air-gapped systems. While the location of that repository is
configurable, and in theory it is possible to write a tool which will
download the metadata plus all signatures plus all external files that
exist, that seems like quite a bit of work, and Thomas therefore
suggested an alternate solution whereby the extrepo metadata is also
packaged in Debian. Doing so only requires a person to mirror the
repository that they want to enable, and to override the mirror URL by
way of the --mirror option passed to extrepo. This way, extrepo will
enable the repository on the given mirror, and will ensure that the
relevant GPG key for the repository in question is provided to apt,
which can still save the user some work of having to manually download
and verify the GPG key.
The downside here however, is that most repositories are updated to add
support for a particular Debian release only after that Debian release
has been promoted to stable. This unfortunately reduces the usability of
the extrepo-offline-data package, which could be remedied by updating
the package in stable.
The extrepo-offline-data package, as the name implies, is a data-only
package. Apart from the changelog and copyright in /usr/share/doc, it
only contains metadata files under /usr/share/extrepo/offline-data.
Thanks for your consideration,
--
***@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}
I will have a Tin-Actinium-Potassium mixture, thanks.