[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: concrete steps for improving apt downloading security and privacy

Am 19.09.14 um 06:34 schrieb Paul Wise:
On Fri, Sep 19, 2014 at 9:30 AM, Hans-Christoph Steiner wrote:

Finally did this:
Please note that you proposal to add signatures to .deb files will
break reproducible builds because the hash of the .deb will differ
depending on who signed it:


I think it would be far better to ship detached signatures in the
archive since that allows for reproducible builds and also means there
could be more than one signer (say one buildd, one Debian sponsor and
one package maintainer).

Isn`t there really any way to include the signatures in the header of the .deb files? Why not simply add multiple signature files in the control.tar.gz of a .deb just next to the md5sums which should in deed be a sha256sums (otherwise there is no way to establish a 'chain of trust'). That would not add any non-determinism because
if it is done right then we can have all the signers in the package!
It would be far better than detaching the signatures from the package because the general use case where you need package signatures is the manual download
of packages. Detached signatures are completely useless for such a use case!

Reply to: