[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

On 09/22/2014 04:07 AM, Elmar Stellnberger wrote:
> Am 22.09.14 um 01:52 schrieb Paul Wise: 
>> The Debian archive does not allow files to change their checksum, so
>> every signature addition requires a new version number. That sounds
>> like a bad idea to me.
> Yes, that is something we definitely do not want.
> Nonetheless it would still be an issue to have the package and the
> signatures
> in one file because we usually need them together. My only idea to
> realize this
> in spite of the said objection would be another proposal:
> Put the .deb and the signatures into one .ar called .sdeb and make tools
> like
> dpkg work on .sdebs or on .deb + signatures respecively. Whenever someone
> offers some packages for download that will be in the form of .sdebs while
> official debian repositories may separate both kinds of files. User
> interfaces
> like http://debtags.debian.net/search/ could then generate .sdebs on the
> fly
> to satisfy petted users.

This is almost exactly what i proposed a couple days ago on the
reproducible-builds mailing list [0], except that i used the extension
.debs instead of .sdeb :)



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: