Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

[Hans-Christoph Steiner <hans@at.or.at>]

René Mayrhofer wrote:
> On 2014-09-25 06:24, Hans-Christoph Steiner wrote:
>>
>> W. Martin Borgert wrote:
>>> On 2014-09-24 23:05, Hans-Christoph Steiner wrote:
>>>> * the signature files sign the package contents, not the hash of
>>>>   whole .deb file (i.e. control.tar.gz and data.tar.gz).
>>> So preinst and friends would not be signed? Sounds dangerous to me.
>> All package contents would be signed, except the signature itself.  The
>> signature would be a separate file in the ar archive of the .deb that signs
>> control.tar.gz and data.tar.gz. See jar or apk format for an example of how
>> this works.
> I know I'm late to the discussion, but for the record, I fully agree
> with this approach as the probably best compromise between usability
> (don't underestimate that, see the emergence of the various "app shops"
> for Linux applications), security, and flexibility. If anybody wants to
> work on that, I'm happy to support it in the University Linz context
> (i.e. as student work, thesis, etc.) and contribute to the process
> (although, depressingly but realistically, not the implementation).
> 
> Rene

Since you mention Austria, I'll be based in Vienna from Oct 30th until March
3rd, perhaps we could even arrange a dev meeting/sprint on this topic in Linz
or Vienna.

.hc