I'm currently in the midst of building a server monitoring application based around OpenNMS
. One thing it's going to need is a way to store up to date listings of the packages currently officially available for several Linux distros (Debian, Ubuntu, Red Hat, etc).
Now, I could get this information by parsing security update advisories as they come in and extracting the relevant information from them, but this by no means gives me everything I need, and it's highly susceptible to breaking because it's dependent on everyone following the same template all the time (which, from my experience, just does not happen. Debian Security Advisories are a great example of this. Sometimes a given OS is referred to as 4.0, sometimes as stable, sometimes as Etch, etc...)
My other option is to get a listing of the packages and their current version numbers that are in the official package repositories for the given distro. For Ubuntu and Debian this is quite easy. I can go to a server, download three or four gzipped files, unzip them and parse their contents. They're guaranteed to be relatively stable and consistent because the external packaging toolkit in Debian systems, apt, uses this file, and it needs to be backwards compatible.
Where I hit a snag is in getting equivalent information for Red Hat systems. I support a number of RHEL 2.1, 3, 4 and 5 systems, so they're all subscribed to the relevant up2date channels. I suppose that I could get the package lists off those servers, but it seems a bit clunky to me, and would be terribly inefficient. All I need to know for, say, RHEL 4, all the packages available for it in Red Hat's repositories, their architecture and the currently available version. I don't want to access the actual packages, since I completely understand that I need a paid support contract for that. I just want to know what's in there, so I can highlight the packages currently on the servers I support where the version numbers don't match what's currently available. (I'd love to be able to say whether a given version number is higher or lower than the official package in the repository, but such evaluations of version numbers are far from as easy as they might seem)