Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
On 2014-09-21 20:04, Elmar Stellnberger wrote:
> A package with some new signatures added is no more the old package.
> It should have a different checksum and be made available again for update.
> Perhaps someone wants to install the package not before certain signatures
> have been added.
If a package would change by adding another signature, then this
would invalidate previous signatures. Exactly because of your
use case (waiting for a number of signatures or waiting for a
specific signature before installation) the signature must be
separated from the actual package.