Buildinfo in the Debian archive, updates

Ximin Luo infinity0 at debian.org
Sat Nov 19 11:26:00 UTC 2016 

Daniel Kahn Gillmor:
> Hi all--
> 
> On Mon 2016-11-14 12:13:00 -0500, Ximin Luo wrote:
>> A GPG signature with a 4096-bit key is about 800 bytes in base 64:
>>
>> http://ftp.debian.org/debian/dists/sid/ (has 2 signatures, if you use `gpg --list-packets`)
>> http://ppa.launchpad.net/infinity0/rust-nightly/ubuntu/dists/yakkety/
>>
>> so it would be about 600 bytes compressed. Across 24000 source packages, this would be 
>>
>> 600 * 24000 ~= 13.7MB
>>
>> per architecture (including for arch:all). This doesn't seem too bad actually.
> 
> If size is a concern, we can make this much smaller by using ed25519 or
> ecdsa P256 signatures from the buildd's instead of RSA 4096.  gpgv in
> Debian stretch is able to validate these signatures, and gpg in Debian
> stretch is able to produce them.  This should reduce the total size of
> the signatures to about ~1MiB per architecture, if i'm calculating this
> correctly.
> 

We should definitely do this yes, if it's feasible. It would only *decrease* the size for non-amd64 arches.

For amd64, I think one nice idea we had way back when was for developers to do source-only uploads, but with a signed buildinfo file that includes the binary hashes, for the buildds to try to match. In that case, we'd still prefer to keep and distribute these large signatures rather than discarding them. But the "matching signature" from the buildd should definitely be ed25519 to avoid increasing this 13.7 figure even further.

(Assuming most DDs won't start switching to ed25519 themselves, for another few years.)

>> In total, this would be (9+13)*2 (one arch:all, one arch:$native) ~=
>> 50MB download, which considering the advantage of not having to
>> contact a 3rd party, I think is just about worth it, even if you only
>> want to rebuild a few packages.
> 
> Can you explain this computation?  i'm assuming 9 is the number of
> debian architectures.  If an architectures builds both arch:all and
> arch:$native, it can do it in a single build, producing a single
> (signed) buildinfo file.  right?  so why the 2?
> 

Sorry, I skipped many steps. This calculation is not about the cost to the mirror network. I'm assuming a few hundred extra MB over 10-20 files is going to be easy to cope with, and the debug-mirror switch that was already done more than offsets this cost.

The calculation was about the worst-case cost, in case 1 rebuilder wants to build 1 source package. They would have to download Buildinfos-{all,$native}{,.sigs}.xz. By the previous estimates this would be:

Buildinfos-all.xz          9MB
Buildinfos-all.sigs.xz    14MB
Buildinfos-amd64.xz        9MB
Buildinfos-amd64.sigs.xz  14MB
------------------------------
Total                     46MB

X

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git

More information about the Reproducible-builds mailing list