[Reproducible-builds] concrete steps for improving apt downloading security and privacy
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Sep 22 12:53:25 UTC 2014
On 09/22/2014 04:07 AM, Elmar Stellnberger wrote:
> Am 22.09.14 um 01:52 schrieb Paul Wise:
>> The Debian archive does not allow files to change their checksum, so
>> every signature addition requires a new version number. That sounds
>> like a bad idea to me.
> Yes, that is something we definitely do not want.
> Nonetheless it would still be an issue to have the package and the
> signatures
> in one file because we usually need them together. My only idea to
> realize this
> in spite of the said objection would be another proposal:
> Put the .deb and the signatures into one .ar called .sdeb and make tools
> like
> dpkg work on .sdebs or on .deb + signatures respecively. Whenever someone
> offers some packages for download that will be in the form of .sdebs while
> official debian repositories may separate both kinds of files. User
> interfaces
> like http://debtags.debian.net/search/ could then generate .sdebs on the
> fly
> to satisfy petted users.
This is almost exactly what i proposed a couple days ago on the
reproducible-builds mailing list [0], except that i used the extension
.debs instead of .sdeb :)
--dkg
[0]
http://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20140915/000432.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20140922/0f2a75a5/attachment.sig>
More information about the Reproducible-builds
mailing list