Re: concrete steps for improving apt downloading security and privacy
Am 19.09.14 um 06:34 schrieb Paul Wise:
Isn`t there really any way to include the signatures in the header
of the .deb files?
Why not simply add multiple signature files in the control.tar.gz of a
.deb just next
to the md5sums which should in deed be a sha256sums (otherwise there is
to establish a 'chain of trust'). That would not add any non-determinism
On Fri, Sep 19, 2014 at 9:30 AM, Hans-Christoph Steiner wrote:
Finally did this:
Please note that you proposal to add signatures to .deb files will
break reproducible builds because the hash of the .deb will differ
depending on who signed it:
I think it would be far better to ship detached signatures in the
archive since that allows for reproducible builds and also means there
could be more than one signer (say one buildd, one Debian sponsor and
one package maintainer).
if it is done right then we can have all the signers in the package!
It would be far better than detaching the signatures from the
the general use case where you need package signatures is the manual
of packages. Detached signatures are completely useless for such a use case!