[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure boot signing infrastructure - feedback request

On Mon, Oct  9, 2017 at 17:38:56 +0100, Steve McIntyre wrote:

> On Mon, Oct 09, 2017 at 02:01:15PM +0100, Ben Hutchings wrote:
> >It also makes all these packages unreproducible, which is a policy
> >violation.
> Surely *anything* with a signature is going to be unreproducible
> directly, by definition. To check for reproducibility, you'll need to
> strip the signatures. Or are you claiming something else?
No, the previous scheme allowed reproducibility (in the
"dpkg-buildpackage from the source package results in the exact same
.deb files" sense), since the signatures were shipped as part of a
source package.  Attaching fixed signatures to fixed binaries is


Reply to: