Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote:
> A package with some new signatures added is no more the old package.
That is exactly what we do *not* want for reproducible builds.
> It should have a different checksum and be made available again for update.
The Debian archive does not allow files to change their checksum, so
every signature addition requires a new version number. That sounds
like a bad idea to me.
> Perhaps someone wants to install the package not before certain signatures
> have been added.
Thats a good idea and it could certainly be implemented with the
design behind reproducible builds as well.
> Your thought experiment would this way of course require an adjusted
> toolchain i.e. sth. like dpkg-cmp that outputs differences in the
We definitely need a tool like this for reproducible builds and indeed
it already exists:
Reproducible builds and independent verification of those builds by