Comment 60 for bug 1267393

Regarding - release-public-tools.sh doesn't validate downloaded packages. That script has not been used since October 2013.
The current script
    http://bazaar.launchpad.net/~juju-qa/juju-release-tools/trunk/view/head:/assemble-streams.bash
does not use "apt-get download" because that that command does not work for all series. The script is run a Jerff (streams.canonical.com), a machine the QA team does not control. We are not permitted to install software on it, nor can we change its apt settings. As the machine is precise, we could only get 3 of the 18 ubuntu agents built by Launchpad.

The modern script downloads the deb from a private ppa with only one subscriber (the QA team). The packages are downloaded within 30 minutes of being built. As juju doesn't distinguish between patch-level or origin in is checking of versions, and the fact that Juju itself creates fake versions, The assembly and publication script scripts validate the collection of agents. Agents cannot be changed. Only the agents added are permitted to be different in the collection. All the agents in the collect are hashed and verified to to match the local collection each time the script is run. The publication script rsyncs (or uses the clouds equivalent feature) the local stream of agents to the cloud. The final check verify the metadata is identical and public for users to access.

assemble-streams.bash is scheduled to be replaced this cycle. We are considering removing the phase to download debs and make agents. The process is not idempotent. We are considering a separate process controlled solely by the QA team to create and assess agents for the collection (test them before they are placed in streams). We could use "apt-get download" on machines/containers we control to make agents. Streams.canonical.com, like the clouds would get agents only from the QA team.