[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote:

>    A package with some new signatures added is no more the old package.

That is exactly what we do *not* want for reproducible builds.

> It should have a different checksum and be made available again for update.

The Debian archive does not allow files to change their checksum, so
every signature addition requires a new version number. That sounds
like a bad idea to me.

> Perhaps someone wants to install the package not before certain signatures
> have been added.

Thats a good idea and it could certainly be implemented with the
design behind reproducible builds as well.

> Your thought experiment would this way of course require an adjusted
> toolchain i.e. sth. like dpkg-cmp that outputs differences in the

We definitely need a tool like this for reproducible builds and indeed
it already exists:


Reproducible builds and independent verification of those builds by
multiple parties



Reply to: