[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

W. Martin Borgert wrote:
> On 2014-09-24 23:05, Hans-Christoph Steiner wrote:
>> * the signature files sign the package contents, not the hash of
>>   whole .deb file (i.e. control.tar.gz and data.tar.gz).
> So preinst and friends would not be signed? Sounds dangerous to me.

All package contents would be signed, except the signature itself.  The
signature would be a separate file in the ar archive of the .deb that signs
control.tar.gz and data.tar.gz. See jar or apk format for an example of how
this works.


Reply to: