Simon Richter <sjr@debian.org> writes: > Hi, > > On 11/10/25 6:51 AM, Simon Josefsson wrote: > >> Yes -- that should be fixed. From a specification/policy point of view, >> I think what should be done is simple: forget about Release+Release.gpg >> as obsolete, and only use InRelease files. What to sign is the YAML >> content with all lines ending with EOL. > > Is there a need for a file format that supports hierarchical > structures, or would deb822 work better? I'm not sure anyone has answers, at least I don't. Maybe we could list design considerations? - Goal: support protection of Release/InRelease using signatures based on multiple frameworks such as SSHSIG, Sigstore, Sigsum, minisign, signify, age, whatever... - Nice to have: reduce today's complexity with PGP to only be in one file -- I think we could stop publishing Release+Release.gpg and fix whatever tooling breaks as a result (apt is mostly fine), relying only on InRelease. This would also drop the number of PGP sig operations. - Nice to have: don't add round-trip latency fetching multiple files. This one argues for putting everyhing in one file, such as extending InRelease. Maybe this could be achieved through some other mean? Having a per-aptsource configuration indicating the protection method, and then only fetch that file? Such as Release.sigsum or Release.sigstore. I think supporting more than one mechanism isn't entirely unreasonable, so this adds two files that needs to be fetched, which isn't optimal. Alternatively, continue use Release file but add Release.sigstore and Release.sigsum etc? - Nice to have: plaintext files, YAML or DEB822? - Critical: a migration plan for how the trixie->forky(->duke) transition should work. - Input from team that supports Release.gpg/InRelease-generation today, what are the restrictions and needs? Presumably having all tools needed in stable(+-backports) is required, but I think we mostly already do. Python and C packaging would be nice, if people hate Go. - Input from apt team, what can be implemented and supported? /Simon
Attachment:
signature.asc
Description: PGP signature