[Reproducible-builds] concrete steps for improving apt downloading security and privacy

Richard van den Berg richard at vdberg.org
Sun Sep 21 19:13:50 UTC 2014


On 21 sep. 2014, at 20:29, W. Martin Borgert <debacle at debian.org> wrote:
> If a package would change by adding another signature, then this
> would invalidate previous signatures.

Package formats like apk and jar avoid this chicken and egg problem by hashing the files inside a package, and storing those hashes in a manifest file. Signatures only sign the manifest file. The manifest itself and the signature files are not part of the manifest, but are part of the package. So a package including it's signature(s) is still a single file.

Richard


More information about the Reproducible-builds mailing list