[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

Am 22.09.14 um 01:52 schrieb Paul Wise:
On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote:

    A package with some new signatures added is no more the old package.
That is exactly what we do *not* want for reproducible builds.

It should have a different checksum and be made available again for update.
The Debian archive does not allow files to change their checksum, so
every signature addition requires a new version number. That sounds
like a bad idea to me.
Yes, that is something we definitely do not want.
Nonetheless it would still be an issue to have the package and the signatures in one file because we usually need them together. My only idea to realize this
in spite of the said objection would be another proposal:
Put the .deb and the signatures into one .ar called .sdeb and make tools like
dpkg work on .sdebs or on .deb + signatures respecively. Whenever someone
offers some packages for download that will be in the form of .sdebs while
official debian repositories may separate both kinds of files. User interfaces
like http://debtags.debian.net/search/ could then generate .sdebs on the fly
to satisfy petted users.

Reply to: