[Reproducible-builds] concrete steps for improving apt downloading security and privacy
Hans-Christoph Steiner
hans at guardianproject.info
Sat Sep 20 18:13:32 UTC 2014
Jérémy Bobbio wrote:
> Hans-Christoph Steiner:
>>> This makes `.deb` hard to use without a repository for anything
>>> substantial. I would assume that's why Ubuntu developed the Click
>>> package format.
>>
>> Check out apt-offline, it makes this process easy.
>
> I know about apt-offline. But that was basically my point: you don't
> manipulate `.deb` by themselves easily as I've seen people do with APKs.
> It's external tools which make it easy.
>
> You were saying that we needed verifications to be as transparent and
> automatic as possible. I agree. We have tools which make it happen
> instead of asking for raw low-level interfaces.
But the apt signatures expire after two weeks. So that does not work for an
offline system.
>> But .buildinfo is not a replacement for the embedded signature with an
>> immutable signature. They solve different problems. This embedded signature
>> idea is not really directly related to reproducible builds, but dkg started
>> this thread here so I responded.
>
> Except that embedded signatures break the idea of independently
> reproducible builds. It means that on top of a description of the build
> environment and the source code, I now need to retrieve a digital
> signature from the original build if I want it to match.
It really does not break reproducible builds, if implemented properly. Just
include the complete canonical signature in .buildinfo in base64 format. I
don't see the problem there.
.hc
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
More information about the Reproducible-builds
mailing list