Johnny Hughes wrote:
[snip]
Using the date added to the mirror is not good. A copy with the wrong switches ... signing with a different key, etc. changes that (when the package is actually the same). Not to mention that we maintain several repos that get rebuilt at different times.
[snip]
It is a major change ... the entire repo is looked at as a whole at rebuild time for the metadata, not as 10,000 packages but as one entity. Because of this fact (as Bryan has pointed out), you would need to keep older entire repo snapshots of the metadata to use to resolve your dependencies separately.
The more I look at this problem, the more I see that a local repo maintained by the local user is the right answer. It works right now, requires no changes, and let's you control EXACTLY what you want in your repo (including files from other places in a single repo).
[snip]
Everyone who has actually done any real configuration management has said this exact thing several times in this thread, and it seems to do absolutely no good.
You can freeze package xxxxx and it dependencies as you see fit, and add only tested packages to the repo. It is just the right way to do version control if you don't want to just use the version control that is published by the repo maintainer.
This has been repeated until people are blue in the face, and it doesn't make a dent.
Mike