[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

On 09/19/2014 12:34 AM, Paul Wise wrote:
> On Fri, Sep 19, 2014 at 9:30 AM, Hans-Christoph Steiner wrote:
>> Finally did this:
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762153
> Please note that you proposal to add signatures to .deb files will
> break reproducible builds because the hash of the .deb will differ
> depending on who signed it:
> https://wiki.debian.org/ReproducibleBuilds
> I think it would be far better to ship detached signatures in the
> archive since that allows for reproducible builds and also means there
> could be more than one signer (say one buildd, one Debian sponsor and
> one package maintainer).

I agree with pabs on this.

fwiw, i'm also hoping that we can ship at least one other signature for
the upstream tarball (where such a thing exists):


We also had a discussion in the reproducible-builds BoF at DC14 about
how to deal with signatures on .buildinfo files, and came to the same
conclusion: that a .buildinfo file should have detached signatures, to
allow for multiple (corroborative) signers:


Note that a signature over a .buildinfo file should effectively cover
the digest of the built .deb files, which should creates a strong
cryptographic chain if you trust the hash function.

Given that we would ultimately like one or more signed .buildinfo files
shipped in the archive, and that they represent a way to have an
builder's signature over a .deb, i think these make the idea of an
internally-signed .deb redundant.

Thanks to everyone who is thinking about and working on improving the
cryptographic integrity of the archive!


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: