Hi Felix--
On Wed 2019-02-27 13:07:20 -0800, Felix Lechner wrote:
> I wrote a Debian tool to create a shipping manifest with file-based
> hashes. Would it help to include that at the time of packaging? If the
> manifest is signed, we could do away with tarball signatures.
I think what you're describing takes aim a different problem, so i don't
think it addresses the underlying concern here. aiui, your tool is
designed to something operated by the debian developer/maintainer. if
i'm misunderstanding, i'd be happy to learn more.
At issue in #920763 is our attempt to capture verified *upstream*
cryptographic signatures. There are (at least) two common practices for
such signatures by upstreams across the free software ecosystem:
a) detached signatures over tarballs
b) signed git tags
Today, we have pretty decent tooling to handle (a). we even distribute
upstream tarball signatures directly when we have them:
(e.g. https://mirrors.edge.kernel.org/debian/pool/main/k/knot/knot_2.6.8.orig.tar.xz
can be verified against the upstream signer's key by fetching
https://mirrors.edge.kernel.org/debian/pool/main/k/knot/knot_2.6.8.orig.tar.xz.asc)
So for (a), we're effectively assembling an archive of all of the
upstream signatures that we know about, which could be used later for
verifying provenance of the source code used.
What we don't have is tooling to handle or aggregate such a verifiable
archive for those upstream signatures that fall under (b). Do you think
the tool you're describing would help with that?
--dkg
Attachment:
signature.asc
Description: PGP signature