David Kalnischkies <david@kalnischkies.de> writes: >> > - Nice to have: don't add round-trip latency fetching multiple files. >> > This one argues for putting everyhing in one file, such as extending >> > InRelease. > > The main argument for InRelease was that Release and Release.gpg were > frequently out-of-sync due to different caching and/or different mirrors > answering the two requests (go read Simon McVitties reply explaining > that in more detail). Indeed! Let's not separate content from signature. They must be transfered together. So the Release.sigstore and Release.sigsum idea is probably a bad one. The above also ties into the crypto argument that detached signature APIs are inherently insecure, and having APIs (and thus file formats) that return a trusted message only on verification success is more robust. I think we are stuck supporting detached signature formats for some time, but let's see if we can design a solution that permit both approaches. /Simon
Attachment:
signature.asc
Description: PGP signature