Hi Ansgar Thanks for filling in the gaps I left in my explanation.
On Wed, Oct 23, 2019 at 10:15:16AM +0200, Ansgar wrote: > kernel.org uses a similar scheme: there are signatures for the > uncompressed tarballs by the maintainer (linux-*.tar.sign). In addition > there is a sha256sums.asc which has strong hashes of the compresssed > files (linux-*.tar.{gz,xz}) and is signed by their archive management > system. That's what I was thinking about. My expection was: The source .dsc file contains checksums for uncompressed files. Those can be built easily in a reproducible way, just as you mentioned that the output of "git archive" is already pretty stable over time. Those are also the values dak uses to find identical files. The upload .changes file contains checksums of the actually uploaded compressed files. The archive Sources file will be filled with checksums for either only the compressed files or both. The only piece of software that would be susceptible to attacks on the decompressor are tools to download .dsc and the listed source files directly without going throw a Sources file. Regards, Bastian -- Schshschshchsch. -- The Gorn, "Arena", stardate 3046.2