[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: Consequences of redesign of .deb signatures

Hey :)

On 9/2/25 1:55 PM, Guillem Jover wrote:

To be very honest, I've seen the reproducible and key rotation problems
to be such a concern that I don't think we'd want to have those in the
archive. I think embedded signatures do make sense if your primary way
to transport .debs is off-repos and/or you also want to track provenance,
have a small set of binaries, or are prepared to rebuild everything to
be able to re-sign (even on a stable release), otherwise for something
like Debian the current repo-signing has always felt superior in all
possible ways.
I think there is a certain appeal if we could trust the archive only for versioning (i.e. the set of packages in a suite) and not for content. But that would be very far from where we are and key rotation would need to be built into the system. At which point it should probably be some sort of detached signature, not an embedded one. 


And IMA has indeed the same exact problem, where I'm also not convinced
at all about them for the Debian archive. Yet, I still think it would
be nice to have a format that might make it possible to explore that,
because perhaps for some organizations or distribution methods it does
make sense. (Because decoupling the IMA signatures from the general
filesystem metadata payload means injecting or changing them is going
to be way easier.)
Yeah that's fair. Having a format where you can just append some signatures on the fly might make sense here. But then maybe they would need to be authenticated differently than the repo root of trust. 

Kind regards and thanks for working on this
Philipp Kern
Reply to: