Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

To: "debian-security@lists.debian.org" <debian-security@lists.debian.org>, Reproducible Builds discussion list <reproducible-builds@lists.alioth.debian.org>, "762153@bugs.debian.org" <762153@bugs.debian.org>
Subject: Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
From: Richard van den Berg <richard@vdberg.org>
Date: Sun, 21 Sep 2014 21:13:50 +0200
Message-id: <[🔎] 8CE64B3D-6269-47A6-8CF2-5ECAA631BDCD@vdberg.org>
In-reply-to: <[🔎] 20140921182918.GA27550@fama>
References: <CACJnc4hN93PJHuWm_GU-sXASW-65OaDtNJL6jH0gumqbyLsv8Q@mail.gmail.com> <201407161406.05061.holger@layer-acht.org> <53C6A7C1.7080800@at.or.at> <201407221617.47375.holger@layer-acht.org> <[🔎] 541B8750.603@at.or.at> <[🔎] CAKTje6EGFXcOpT3K7C2imneW4FPxnypwQfNUMjuLZ3=k1pFh8w@mail.gmail.com> <[🔎] 541C005D.2010404@gmail.com> <[🔎] 541C2CC5.8000406@fifthhorseman.net> <[🔎] 541F134A.3080603@gmail.com> <[🔎] 20140921182918.GA27550@fama>

On 21 sep. 2014, at 20:29, W. Martin Borgert <debacle@debian.org> wrote:
> If a package would change by adding another signature, then this
> would invalidate previous signatures.

Package formats like apk and jar avoid this chicken and egg problem by hashing the files inside a package, and storing those hashes in a manifest file. Signatures only sign the manifest file. The manifest itself and the signature files are not part of the manifest, but are part of the package. So a package including it's signature(s) is still a single file.

Richard

Reply to:

Follow-Ups:
- Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
  - From: "W. Martin Borgert" <debacle@debian.org>
- Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
  - From: Stefan Fritsch <sf@sfritsch.de>

References:
- Re: concrete steps for improving apt downloading security and privacy
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: concrete steps for improving apt downloading security and privacy
  - From: Paul Wise <pabs@debian.org>
- Re: concrete steps for improving apt downloading security and privacy
  - From: Elmar Stellnberger <estellnb@gmail.com>
- Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
  - From: Elmar Stellnberger <estellnb@gmail.com>
- Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
  - From: "W. Martin Borgert" <debacle@debian.org>

Prev by Date: Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
Next by Date: Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
Previous by thread: Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
Next by thread: Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
Index(es):
- Date
- Thread