[Reproducible-builds] concrete steps for improving apt downloading security and privacy
Paul Wise
pabs at debian.org
Sun Sep 21 23:52:55 UTC 2014
On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote:
> A package with some new signatures added is no more the old package.
That is exactly what we do *not* want for reproducible builds.
> It should have a different checksum and be made available again for update.
The Debian archive does not allow files to change their checksum, so
every signature addition requires a new version number. That sounds
like a bad idea to me.
> Perhaps someone wants to install the package not before certain signatures
> have been added.
Thats a good idea and it could certainly be implemented with the
design behind reproducible builds as well.
> Your thought experiment would this way of course require an adjusted
> toolchain i.e. sth. like dpkg-cmp that outputs differences in the
We definitely need a tool like this for reproducible builds and indeed
it already exists:
https://wiki.debian.org/ReproducibleBuilds#bash_script_to_compare_two_package_builds
Reproducible builds and independent verification of those builds by
multiple parties
--
bye,
pabs
https://wiki.debian.org/PaulWise
More information about the Reproducible-builds
mailing list