[21:30] <Odd_Bloke> Hey folks, I'm trying to determine the provenance of packages in our internal Ubuntu "mirror".  For packages that are still in the Packages file, this is easy enough, but for older versions I think I'm going to need to ask Launchpad(?).  Is there a way to use the API to get from (binary_package_name, version, arch) to the SHA256 of the corresponding Ubuntu package file?
[21:36] <cjwatson> Odd_Bloke: weirdly I can't see any way to specifically ask for a checksum, though if the package was ever in Ubuntu then you should be able to redownload it from LP and compare, e.g. https://launchpad.net/ubuntu/+archive/primary/+files/man-db_2.9.1-1_amd64.deb
[21:37] <cjwatson> if you have the filename of a file once in Ubuntu then you can always construct the URL for it like that
[21:37] <cjwatson> (well possibly except for some _very_ old packages)
[21:44] <Odd_Bloke> cjwatson: Ack, thanks: glad I'm not missing something obvious!  A possible alternative I just stumbled across is to get `build.changesfile_url` and parse `Checksums-Sha256` out of that: that should be both less CPU time for me, and less network traffic traversing the Atlantic from Launchpad, so I suspect will be quite a lot faster.
[21:49] <cjwatson> Hm yeah, I guess that would be a slightly roundabout option
[21:50] <cjwatson> Probably slower for small packages (because it'll involve more round trips) and faster for large ones
[21:51] <cjwatson> I wonder if we could just have the librarian send the sha256 in a header, and then you could get the +files redirect and HEAD the target
[21:51] <Odd_Bloke> Yeah, though I'll also only need to do the fetching once per source package if I cache things right.
[21:54] <Odd_Bloke> Yeah, I was wondering if a HEAD request could get me enough info, but not right now it looks like.