[Reproducible-builds] concrete steps for improving apt downloading security and privacy
Jérémy Bobbio
lunar at debian.org
Sat Sep 20 07:08:01 UTC 2014
Hans-Christoph Steiner:
> > This makes `.deb` hard to use without a repository for anything
> > substantial. I would assume that's why Ubuntu developed the Click
> > package format.
>
> Check out apt-offline, it makes this process easy.
I know about apt-offline. But that was basically my point: you don't
manipulate `.deb` by themselves easily as I've seen people do with APKs.
It's external tools which make it easy.
You were saying that we needed verifications to be as transparent and
automatic as possible. I agree. We have tools which make it happen
instead of asking for raw low-level interfaces.
> But .buildinfo is not a replacement for the embedded signature with an
> immutable signature. They solve different problems. This embedded signature
> idea is not really directly related to reproducible builds, but dkg started
> this thread here so I responded.
Except that embedded signatures break the idea of independently
reproducible builds. It means that on top of a description of the build
environment and the source code, I now need to retrieve a digital
signature from the original build if I want it to match.
--
Lunar .''`.
lunar at debian.org : :Ⓐ : # apt-get install anarchism
`. `'`
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20140920/15a9a338/attachment.sig>
More information about the Reproducible-builds
mailing list