[Reproducible-builds] concrete steps for improving apt downloading security and privacy
Elmar Stellnberger
estellnb at gmail.com
Fri Sep 19 10:07:25 UTC 2014
Am 19.09.14 um 06:34 schrieb Paul Wise:
> On Fri, Sep 19, 2014 at 9:30 AM, Hans-Christoph Steiner wrote:
>
>> Finally did this:
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762153
> Please note that you proposal to add signatures to .deb files will
> break reproducible builds because the hash of the .deb will differ
> depending on who signed it:
>
> https://wiki.debian.org/ReproducibleBuilds
>
> I think it would be far better to ship detached signatures in the
> archive since that allows for reproducible builds and also means there
> could be more than one signer (say one buildd, one Debian sponsor and
> one package maintainer).
>
Isn`t there really any way to include the signatures in the header
of the .deb files?
Why not simply add multiple signature files in the control.tar.gz of a
.deb just next
to the md5sums which should in deed be a sha256sums (otherwise there is
no way
to establish a 'chain of trust'). That would not add any non-determinism
because
if it is done right then we can have all the signers in the package!
It would be far better than detaching the signatures from the
package because
the general use case where you need package signatures is the manual
download
of packages. Detached signatures are completely useless for such a use case!
More information about the Reproducible-builds
mailing list