[Reproducible-builds] Moving towards buildinfo on the archive network
Ximin Luo
infinity0 at debian.org
Sun Aug 21 16:01:00 UTC 2016
Jonathan McDowell:
> On Sat, Aug 20, 2016 at 03:13:00PM +0000, Ximin Luo wrote:
>> Note that the builder is a *distinct entity* from the distribution.
>> It's important to keep the *original* signature by B on C. It breaks
>> our security logic, to strip the signature and re-sign C using (e.g.)
>> the Debian archive release keys - because the entity in charge of this
>> release key is not the one that actually performed the build. Doing
>> this, would allow malicious builders to re-attribute their misdeeds to
>> look like it's the fault of Debian.
>
> Debian already does this in the context of the fact that Package files
> etc are signed by the archive key. It's possible to go and grab the .dsc
> file to see who did the file build, but day-to-day no one is using these
> to verify the binaries they receive. I care more that Debian stands
> behind the packages I download than being able to verify individually
> who build each of the packages I'm running - there's no meaningful way I
> can attribute trust to *all* of the people who packaged something I have
> installed.
>
You have this backwards.
"Being able to verify individually who build each of the packages I'm running"
is *exactly* what is required to *not* have to
"attribute trust of *all* of the people who packaged something I have installed."
and that is one major (probably the main) goal of R-B.
Now that I point this out - do you agree, and does it change your mind on anything you previously said?
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the Reproducible-builds
mailing list