[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

On 2014-09-21 20:04, Elmar Stellnberger wrote:
>    A package with some new signatures added is no more the old package.
> It should have a different checksum and be made available again for update.
> Perhaps someone wants to install the package not before certain signatures
> have been added.

If a package would change by adding another signature, then this
would invalidate previous signatures. Exactly because of your
use case (waiting for a number of signatures or waiting for a
specific signature before installation) the signature must be
separated from the actual package.

Reply to: