Hi Ansgar

Thanks for filling in the gaps I left in my explanation.

On Wed, Oct 23, 2019 at 10:15:16AM +0200, Ansgar wrote:
> kernel.org uses a similar scheme: there are signatures for the
> uncompressed tarballs by the maintainer (linux-*.tar.sign).  In addition
> there is a sha256sums.asc which has strong hashes of the compresssed
> files (linux-*.tar.{gz,xz}) and is signed by their archive management
> system.

That's what I was thinking about.  My expection was:

The source .dsc file contains checksums for uncompressed files.  Those
can be built easily in a reproducible way, just as you mentioned that
the output of "git archive" is already pretty stable over time.  Those
are also the values dak uses to find identical files.

The upload .changes file contains checksums of the actually uploaded
compressed files.

The archive Sources file will be filled with checksums for either only
the compressed files or both.

The only piece of software that would be susceptible to attacks on the
decompressor are tools to download .dsc and the listed source files
directly without going throw a Sources file.

Regards,
Bastian

-- 
Schshschshchsch.
                -- The Gorn, "Arena", stardate 3046.2

Reply via email to