[Reproducible-builds] concrete steps for improving apt downloading security and privacy
Elmar Stellnberger
estellnb at gmail.com
Mon Sep 22 08:07:00 UTC 2014
Am 22.09.14 um 01:52 schrieb Paul Wise:
> On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote:
>
>> A package with some new signatures added is no more the old package.
> That is exactly what we do *not* want for reproducible builds.
>
>> It should have a different checksum and be made available again for update.
> The Debian archive does not allow files to change their checksum, so
> every signature addition requires a new version number. That sounds
> like a bad idea to me.
Yes, that is something we definitely do not want.
Nonetheless it would still be an issue to have the package and the
signatures
in one file because we usually need them together. My only idea to
realize this
in spite of the said objection would be another proposal:
Put the .deb and the signatures into one .ar called .sdeb and make tools
like
dpkg work on .sdebs or on .deb + signatures respecively. Whenever someone
offers some packages for download that will be in the form of .sdebs while
official debian repositories may separate both kinds of files. User
interfaces
like http://debtags.debian.net/search/ could then generate .sdebs on the fly
to satisfy petted users.
More information about the Reproducible-builds
mailing list