[Apt-zip-devel] Exporting USEMD5SUMS

Giacomo A. Catenazzi cate at debian.org
Tue Mar 18 09:31:59 UTC 2008 

Eddy Petrișor wrote:
> Giacomo Catenazzi wrote:
> 
> I just finished importing and tagging the missing versions into subversion,
> so now the svn version should be the same as the 0.18 release and should 
> contain all the history contained in the archive (0.16, 0.17 and 0.18).

thanks :-)
What method do you use?
I see in wiki.d.o that a lot of team have a lot of different
methods. We have simple life because we are upstream and we
have only one package.
Anyway do you use plain svn or svn-buildpackage ?


>> BTW somebody proposed me an other design: a web based application.
>> I see it as:
>> - USER: upload of package list (+ installed version)
>> - SERVER: find new packages (ev. with dependencies)
>> - SERVER: display a link to the new generated tar file
> 
> I am fairly sure I have seen this proposal before, but I can't find he BR.

It is possible. It is not my idea. :-)
Probably the proposal arrived via apt-zip at p.d.o.


>> As further step we can add:
>> - dependencies search,
>> - split big tar to an user defined max size (i.e. floppy)
>> - user could save the package list
>>   - easier to get new security or stable-update
>>   - notified via email
>> - ...
> 
> Yes, this sounds good. Still, the bottleneck here seems to be the server 
> itslef. This would definitely have to be account (or some other 
> authentication) based in order to prevent DoS attacks.

debian mirror are not authenticated.
And for my experiences, authentication is much more resource extensive
(captcha, confirmation via email [to the wrong people], ...).

I think it would be simpler to limit bandwidth or number of downloads
(apache and lighttpd have such options).


> Also, apt-zip would be only responsible of creating a "local machine 
> status" snapshot (states of the packages+sources.list{,.d/*}).
> 
> Still, I think this should *not* replace the current apt-zip-list and 
> apt-zip-inst scripts until we have something really functional.

but also the fetch scripts should remain. They are very good for
automated job.

I see the web version as an additional fetch method.

> It depends on which packages are downloaded. We could impose a soft 
> limit of (say) 50MB for a apt-zip-server upgrade and request direct 
> usage of apt-zip-list update + apt-zip-list upgrade ... for bigger 
> downloads.

let see. I really don't know usage pattern and how much people
will use it.
But if the method become popular, we would find easily mirror
machines.
Probably we should also talk with Ubuntu, to share resources.

ciao
	cate

More information about the apt-zip-devel mailing list