Buildinfo in the Debian archive, updates
Jonathan McDowell
noodles at earth.li
Mon Dec 12 11:16:05 UTC 2016
On Thu, Dec 08, 2016 at 09:58:00AM +0000, Ximin Luo wrote:
[Signature field for build-info]
> If we go down this route (and it's looking pretty good IMO) then I
> agree that we don't need to store the binary hashes in Packages.gz.
> But we should store a hash of each Buildinfos.xz in the Release files
> (that are signed), so there is a cryptographic "route" from what is
> signed by Debian, to what is signed by the builders.
Yes, completely agree - it was always my intention that the Buildinfo
hashes should be in the signed Releases file, to provide a trust path
from the usual archive keys.
> Are you all coming to the meeting next week? We should figure out some
> way to divide up this work. I'm not very familiar with the dak code
> atm, some pointers would be nice.
Sadly I haven't been able to spare the time necessary to attend.
J.
--
Don't do it!
More information about the Reproducible-builds
mailing list