[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

On 2014-09-21 21:13, Richard van den Berg wrote:
> Package formats like apk and jar avoid this chicken and egg problem by hashing the files inside a package, and storing those hashes in a manifest file.

Is there a "chicken and egg problem"? Only if one insists on embedding
the signatures in one file, I would say.

> Signatures only sign the manifest file. The manifest itself and the signature files are not part of the manifest, but are part of the package. So a package including it's signature(s) is still a single file.

This is nice, indeed, but: The Debian repository is mirrored all over
the world and distributed on DVSs/CDs. If package files change
whenever a signature is added, this would lead to needless traffic and
obliterate readonly media.

(Well, rsync would mitigate the mirror problem by only transmitting
the signature parts of a file, right?)

Reply to: