Re: some sort of validation about a .deb package when a .deb package is installed.
shirish शिरीष:
> [...]
>
> Dear Niels,
> I have zero programming experience but I believe I do explanations
> well . I didn't know that this has been a concern since 2005 as well
> as dpkg-sig and debsig-verify. I am still reading it as it's a long
> bug, the only thing it seems is that it will fly in face of
> reproducible builds if I'm not wrong ?
>
The standing solution for this type of problem in reproducible builds is
to detach the signature and compare it without (OR replace the signature
in the rebuild with the one on the original binary).
If you have bit-for-bit reproducibility (and reproducible
detach+reattach for signatures), then the signature on the first binary
will still match/be applicable for the second binary.
For more information (and other alternatives), please see
https://reproducible-builds.org/docs/embedded-signatures/
Thanks,
~Niels
Reply to: