Re: Hard Rust requirements from May onward

To: Philipp Kern <pkern@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Hard Rust requirements from May onward
From: Simon Josefsson <simon@josefsson.org>
Date: Sun, 02 Nov 2025 10:32:02 +0100
Message-id: <[🔎] 87zf9493vx.fsf@josefsson.org>
In-reply-to: <[🔎] 14b65ce9-4370-4e38-9d65-964c50f08583@debian.org> (Philipp Kern's message of "Sat, 1 Nov 2025 21:08:34 +0100")
References: <20251031213541.GA73786@debian.org> <ad6e60711c8ed3372ed7f324d7b1be23b0722a0d.camel@physik.fu-berlin.de> <[🔎] 7c26a3d4-341e-468f-9d74-591d605633ab@debian.org> <[🔎] aQW26jhEMZVingYE@gpm.stappers.nl> <[🔎] 87ldkqt09e.fsf@miraculix.mork.no> <[🔎] 874irdkhjx.fsf@josefsson.org> <[🔎] aQYahy1jj28quap0@belkar.wrar.name> <[🔎] 87fraxfsxw.fsf@josefsson.org> <[🔎] 14b65ce9-4370-4e38-9d65-964c50f08583@debian.org>

Philipp Kern <pkern@debian.org> writes:

> In trying to retrofit this I also ran into the classic "and now I have
> an additional file to InRelease to provide the inclusion proof"
> problem.

What do you think about putting all signatures in the InRelease file?

The content to sign would be the same as the text in the PGP-armored
InRelease file, which (modulo the long-standing final newline
misbehaviour) is the same as the content of the Release file.

There is no need to care about Release and Release.gpg files, they can
continue to exist or be removed eventually.

Trixie's InRelease file could look like this to support both PGP,
SSHSIG, Sigstore cosign and Sigsum:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Origin: Debian
Label: Debian
Suite: stable
...
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEETLUBkCB7R1ij9zp5btDnuCZD4TEFAmi8AkkACgkQbtDnuCZD
4THZRw/+JCX/UBnkXLs9jmaE2JULHisBWMKO7VgKZkpzLqcM5slUSDAqCsZ2rZgJ
QdPwsxRHsbQS6y0LtjUHoXTglSarkuR8GjKx6vzjravq8mOgd2/COkm8RbZud/ou
CA5A2iU+x9dmpf/iI7lUkPDSgbAisEWJ4Heqkh2L53n5oce2JVKcEhg6TKZgi2o+
...
-----END PGP SIGNATURE-----
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgJKxoLBJBivUPNTUJUSslQTt2hD
jozKvHarKeN8uYFqgAAAADZm9vAAAAAAAAAFMAAAALc3NoLWVkMjU1MTkAAABAKNC4IEbt
Tq0Fb56xhtuE1/lK9H9RZJfON4o6hE9R4ZGFX98gy0+fFJ/1d2/RxnZky0Y7GojwrZkrHT
FgCqVWAQ==
-----END SSH SIGNATURE-----
-----BEGIN SIGSTORE SIGNATURE-----
MEYCIQCsxZJgidZVqj3+wfxv/LgsMlhBsaPZWgk9LFAWcIPBxwIhAMrN+Wlh38dBcbXR0co/gU+T6OCr07spm5jDmKpPscWa
-----END SIGSTORE SIGNATURE-----
-----BEGIN SIGSUM SIGNATURE-----
version=2
log=44ad38f8226ff9bd27629a41e55df727308d0a1cd8a2c31d3170048ac1dd22a1
leaf=7d57f39e21aafda397c1ec8d413694a7a77b3e86b7cefff4c7d9e87497b41499 b0d90facdb7e557cd3281988b3ae708c5e34fef7859618688a6035a9e0649631197c9fbe791e8d1d10ea9964cf5df41450aab3010459ca33bde306bdf9378e0c

size=1766
root_hash=6922606e008712c738d43379672f55147dd3def6dc9e7f026711a589c528b571
signature=a490f469edff0a8d90b5ba4412fe20ce96dea6f76ee0f03a0aec05fbeda830658faa620c07c083cafe078d554b0055b9384a1f698d84e677c095cd2557790b0c
cosignature=9a0dcddbd96f6d6d404227b5ff23de7a43f25cdde9790af5ace332d347fac49a 1738852707 13b0b825c67ed1dd663c02560e04ce0acee532d1a15858977567087271292cb32432b5ce011461cfd63f2943ebb87c0f27ea8e25ad62fa34f90aee60c3bc9d00
cosignature=506972ae99f752df639c749ac50a741b80d95f114a35420838ac06107ea9bfe8 1738852707 e7175b809ed42a0c04e3fa39ac624e4b3e3d0f496a1d37094a6aee77775a069f2a193a7d74574650e1f406458a65776b9b869e237933697b81c498ff03275e03
cosignature=cd02db1cc0488c28245d7c3ff50b3e214334c067f2571e849425146bb6bd173d 1738852707 63628627994252757c5736eb2a29f053a8f231ca334261fb9a7533980fc1a5f020bdb75ace2e81082486887b35c48544d59157d627be5277fa342327b8fd640e
cosignature=768c9aac6ea5ee9b9c75dd862b70dcb693a2cb37c4ae2f15064e34a1ab260b01 1738852707 29d8ec346c006d832b55f40abad9610b4403fb604f6aea75eaaa12fc45b22d0f202c6458c89db5674ad5d3e3ecf24dc0fb2252f1b29e5cd24ed04f6858986b0f
...
cosignature=0b00d26b3bf3e0ded29f82803abd34c972cb62752305b0e718cf7b8ec1bf99f6 1738852707 93925ba5f6701e177fad16dbc5c29093fbefe1ca282f0e6f9fc9735c73a0904b2f1180591757198bcaef6dbd71ca0de6feb07e6aaddcfae078b07da48bbb0f00

leaf_index=1765
node_hash=9ca4d837a8cddbfa5bc393dae8a921cc861e1803225033c2925e37fa424c3a97
node_hash=a86e497fab2ec81cd9bc29bf51a6337a606137618cd1aa603a44b1134080d5f5
node_hash=98c52da9f6297f866fc92c4bb6aeb3bafc885725be1249b1b6fd5caa81dc0387
node_hash=247f89606e6055ef0e23ce1d91417c0f3f287ad87251e383d165b5fcfa53726c
node_hash=e2821a616175a831075291a79715d775e5e11fb46cad8a867e6161330b0dcb38
node_hash=00a0e50c255202d690c4bbe69f049990d3ebdfeef0288c33fc3deae500d272ff
node_hash=591ffe52c204d4d87feea2be7ef0a63c8b3b4975fabfee45747670c0cf997c04
-----END SIGSUM SIGNATURE-----

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Re: Hard Rust requirements from May onward
  - From: Simon Richter <sjr@debian.org>
- Re: Hard Rust requirements from May onward
  - From: Geert Stappers <stappers@stappers.nl>
- Re: Hard Rust requirements from May onward
  - From: Bjørn Mork <bjorn@mork.no>
- Re: Hard Rust requirements from May onward
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Hard Rust requirements from May onward
  - From: Andrey Rakhmatullin <wrar@debian.org>
- Re: Hard Rust requirements from May onward
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Hard Rust requirements from May onward
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: Hard Rust requirements from May onward
Next by Date: Re: Re: Hard Rust requirements from May onward
Previous by thread: Re: Hard Rust requirements from May onward
Next by thread: Re: Hard Rust requirements from May onward
Index(es):
- Date
- Thread