Am 22.09.14 um 01:52 schrieb Paul Wise:
On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote:A package with some new signatures added is no more the old package.That is exactly what we do *not* want for reproducible builds.It should have a different checksum and be made available again for update.The Debian archive does not allow files to change their checksum, so every signature addition requires a new version number. That sounds like a bad idea to me.
Yes, that is something we definitely do not want.Nonetheless it would still be an issue to have the package and the signatures in one file because we usually need them together. My only idea to realize this
in spite of the said objection would be another proposal:Put the .deb and the signatures into one .ar called .sdeb and make tools like
dpkg work on .sdebs or on .deb + signatures respecively. Whenever someone offers some packages for download that will be in the form of .sdebs whileofficial debian repositories may separate both kinds of files. User interfaces
like http://debtags.debian.net/search/ could then generate .sdebs on the fly to satisfy petted users.