Archive layout

[jnqnfe]

Hi,

Recently I have been undertaking some work on improving the live-build
(LB) tool, upstream at Debian. For those unaware of it, it is a tool
(large script actually) for building a live image to be written to
CD/DVD/etc.

While many files are downloaded by live-build via apt, and thus done in
a secure and Ubuntu archive compatible way, there are several files
downloaded from archives simply via wget, and with no security
verification. Debian bug #718225 is a long standing request for the
addition of secure verification of these files, and I am almost done
with building a solution.

However, I have just noticed two problematic differences in archive
layout between Debian and Ubuntu that throw a spanner in the works.
1) Ubuntu does not provide Contents-{ARCH}.gz files under archive area
directories, only a single one in the directory above. These files are
used by LB to obtain a list of firmware packages to download and
include. The user has control over which archive areas packages are
obtained from, so separate contents files are needed to ensure only
firmware packages from those archive areas are obtained.
2) Ubuntu does not include any details of
dists/{DIST}/main/installer-{ARCH} directory contents in the dist
Release file. A hashsums file exists within each installer version
sub-directory, which forms a necessary part of a verification procedure
in both distributions for the installer files found there, but Debian
includes a hash of this hashsum file in the main dist Release file,
while Ubuntu instead provide a detached GPG signature file for it.

As I have just described in Debian bug #774378, a couple of years ago LB
introduced a commit that handled #1 above, but less than a month later
it was removed again, with the opinion that Ubuntu should bring their
archives into line with Debian archive layout. It has been left that way
ever since, and your archive layout has not changed either. I have
requested that the Debian maintainer reassess the removal of this check,
particularly since this causes an issue with my 718225 solution (not so
forgiving at allowing wget's to simply fail with the build carrying on
regardless). However, considering that I believe users should have
control over which archive areas they obtain packages from, I believe he
is right in suggesting that Ubuntu archive layouts should be brought
more inline with Debian's layout by including the additional contents files.

With issue #2, I currently have no opinion of which is the better
approach, but the difference does pose a problem for me. To support both
I will have to include a sizable chunk of extra code to cover your
alternate verification needs. This would not be necessary if Ubuntu were
to adopt both approaches (simply include the hash for the installer
hashsum file in the main dist Release file), at least for the time being
until a common setup can be agreed upon (assuming/hoping Debian & Ubuntu
are willing to discuss and one of you change accordingly).