Securely retrieving dscs from snapshot.debian.org

[peter green]

I have been working for a while on a tool for automatically merging downstream changes with new packages from Debian [1].

One annoyance with the tool as it stands at the moment is that when adding a new package to the list of packages to be processed the user must often manually obtain the dsc for the "base version" their local package was based on. I would like to add the option to automatically retrieve this from snapshot.debian.org

Unfortunately there doesn't seem to be a good way to securely retrive a dsc from snapshot.debian.org given a package name and version number.

Debian dsc files are signed but those signatures are severely problematic for any sort of automated verification. The set of allowed keys is constantly changing, some of the keys used to sign dscs may not be keys authorised for unlimited uploads to the Debian archive, the keys may be used to sign dscs not intended for upload to Debian and so-on.

The other verification option seems to be to use the signature on the "Release" file to verify the "Sources" file and then use the "Sources" file to verify the dsc but there are difficulties here too.

1. The snapshot.debian.org api doesn't seem to provide any information about which suites a source package was seen in.
2. The Sources files are rather large, this is made worse if I have to use a brute-force approach to find the correct one.

Am I overlooking a better way of securely retreiving old source packages?

Has anyone attempted to implement a tool that performs verified downloads of source packages from snapshot.debian.org ?


[1] https://github.com/plugwash/autoforwardportergit