Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust requirements]

To: debian-devel@lists.debian.org
Subject: Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust requirements]
From: Stefano Rivera <stefanor@debian.org>
Date: Thu, 13 Nov 2025 12:11:00 +0000
Message-id: <[🔎] 525nnjpfmfzpfomgllhyqqdibe6l3ieultryr3q6ylq6zlhpyh@3xvp5pnj7x53>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] aRIMiiR-tR-lVNrP@remnant.pseudorandom.co.uk>
References: <[🔎] 874irdkhjx.fsf@josefsson.org> <[🔎] aQYahy1jj28quap0@belkar.wrar.name> <[🔎] 87fraxfsxw.fsf@josefsson.org> <[🔎] 14b65ce9-4370-4e38-9d65-964c50f08583@debian.org> <[🔎] 87zf9493vx.fsf@josefsson.org> <[🔎] 0b6d3066-53ff-4e5f-ab2b-be027991ce14@debian.org> <[🔎] 87v7ji6fjj.fsf@biskvi.sjd.se> <[🔎] 4386e332-ecbb-4f67-b299-5c2efda3bff1@debian.org> <[🔎] 87wm3ynosl.fsf@biskvi.sjd.se> <[🔎] aRIMiiR-tR-lVNrP@remnant.pseudorandom.co.uk>

Hi Simon (2025.11.10_16:02:18_+0000)

My understanding is that this is not actually the purpose ofInRelease, although it's a desirable side-effect. Instead, the pointof InRelease is that if the top-level metadata (Release file) isserved in the same file as its signatures and during the same httptransaction, then it cannot possibly be inconsistent, even during amirror resync

I could imagine a scheme where signatures are written to separate filesby Release file hash:


by-hash/$(sha512 Release).{gpg,sigstore,*}

That would be two file downloads, but you can have the same guaranteethat the signatures exist before you update the Release files.


Stefano

--
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Reply to:

Follow-Ups:
- Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust requirements]
  - From: Simon Josefsson <simon@josefsson.org>

References:
- Re: Hard Rust requirements from May onward
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Hard Rust requirements from May onward
  - From: Andrey Rakhmatullin <wrar@debian.org>
- Re: Hard Rust requirements from May onward
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Hard Rust requirements from May onward
  - From: Philipp Kern <pkern@debian.org>
- Re: Hard Rust requirements from May onward
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Hard Rust requirements from May onward
  - From: Philipp Kern <pkern@debian.org>
- Re: Hard Rust requirements from May onward
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Hard Rust requirements from May onward
  - From: Simon Richter <sjr@debian.org>
- Re: Hard Rust requirements from May onward
  - From: Simon Josefsson <simon@josefsson.org>
- Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust requirements]
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: Seeking new members for the DFSG team (Re: Bits from the DPL)
Next by Date: Re: Seeking new members for the DFSG team (Re: Bits from the DPL)
Previous by thread: Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust requirements]
Next by thread: Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust requirements]
Index(es):
- Date
- Thread