Quoting Timo Röhling (2023-08-10 11:56:42) > Hi, > > * Helmut Grohne <helmut@subdivi.de> [2023-08-10 06:43]: > >When repacking, the upstream signature becomes useless and external > >parties can no longer verify it at ease. Including that upstream > >signature increases trust in the source shipped by Debian being > >good. > I don't think that problem is very relevant in practise. > > On the one hand, the vast majority of upstreams I have encountered > so far do not ship any signatures at all. Some upstreams do not even > have an immutable release archive; Github (for example) generates > TARs and ZIPs on the fly and changes the exact format from time to > time. > > On the other hand, those upstream developers who care enough to go > the extra mile with a meaningful [1] cryptographic signature, > probably also pay more attention to the actual files they ship, > making it less likely to require repacks in the first place. > > > Cheers > Timo > > > [1] A signature is only meaningful if the signing key is kept > secure. If you upload a GPG private key to your favorite code > hoster and have it sign releases automatically, you have a very > convenient workflow that achieves nothing at all, because the > integrity of the release still depends on the integrity of the > hosting platform. I disagree that hoster-signed released are totally worthless. Even if we in Debian consider (other) hosters not worthy of our trust, downstreams of Debian may value some hosters differently and find value in our tracking their offered signatures. Example: An organisation has examines licensing of Chromium as installed ontheir Android and Linux systems, expressed as SPDX datasets with SHA1 checksums for upstream tarballs. They need to do a full analysis for each upstream release, but would prefer to only need a partial analysis for each Debian repackaging if possible. If Debian included a SHA1 which matched a SHA1 in their SPDX dataset then they benefit. If SHA1 for one reason or another don't match then it not a sign if insecurity, only a more expensive process for them because they then need to analyze that repackaged tarball as unique instead of as a derivation of something known to them. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature