Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
- To: firstname.lastname@example.org
- Subject: Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
- From: Hans-Christoph Steiner <email@example.com>
- Date: Thu, 16 Oct 2014 11:25:30 -0400
- Message-id: <[🔎] 543FE36A.firstname.lastname@example.org>
- In-reply-to: <[🔎] 543CDE75.email@example.com>
- References: <firstname.lastname@example.org> <541B8750.email@example.com> <CAKTje6EGFXcOpT3K7C2imneW4FPxnypwQfNUMjuLZ3=k1pFh8w@mail.gmail.com> <541C005D.firstname.lastname@example.org> <541C2CC5.email@example.com> <541C5597.firstname.lastname@example.org> <541C5C47.email@example.com> <541C7A58.firstname.lastname@example.org> <541C812F.email@example.com> <firstname.lastname@example.org> <20140925035052.GA20936@fama> <5423991B.email@example.com> <[🔎] 543CDE75.firstname.lastname@example.org>
René Mayrhofer wrote:
> On 2014-09-25 06:24, Hans-Christoph Steiner wrote:
>> W. Martin Borgert wrote:
>>> On 2014-09-24 23:05, Hans-Christoph Steiner wrote:
>>>> * the signature files sign the package contents, not the hash of
>>>> whole .deb file (i.e. control.tar.gz and data.tar.gz).
>>> So preinst and friends would not be signed? Sounds dangerous to me.
>> All package contents would be signed, except the signature itself. The
>> signature would be a separate file in the ar archive of the .deb that signs
>> control.tar.gz and data.tar.gz. See jar or apk format for an example of how
>> this works.
> I know I'm late to the discussion, but for the record, I fully agree
> with this approach as the probably best compromise between usability
> (don't underestimate that, see the emergence of the various "app shops"
> for Linux applications), security, and flexibility. If anybody wants to
> work on that, I'm happy to support it in the University Linz context
> (i.e. as student work, thesis, etc.) and contribute to the process
> (although, depressingly but realistically, not the implementation).
Since you mention Austria, I'll be based in Vienna from Oct 30th until March
3rd, perhaps we could even arrange a dev meeting/sprint on this topic in Linz