* Jonas Smedegaard <jo...@jones.dk> [2023-08-10 12:32]:
Example: An organisation has examines licensing of Chromium as installed ontheir Android and Linux systems, expressed as SPDX datasets with SHA1 checksums for upstream tarballs. They need to do a full analysis for each upstream release, but would prefer to only need a partial analysis for each Debian repackaging if possible. If Debian included a SHA1 which matched a SHA1 in their SPDX dataset then they benefit. If SHA1 for one reason or another don't match then it not a sign if insecurity, only a more expensive process for them because they then need to analyze that repackaged tarball as unique instead of as a derivation of something known to them.
I agree that you describe a valid use-case and a good reason why Debian maintainers should not repack source archives arbitrarily, but it does not refute my point. A cryptographic hash is not a signature, it merely represents a particular binary blob (such as a source archive) and makes no claim about the authorship of that blob. In fact, you can even compute it yourself if upstream refuses to do so, and your described use-case would still work: You don't need to know about authorship, you only need to know if some tarball has content you have already seen and examined before. Cheers Timo -- ⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮ ⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │ ⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │ ⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯
signature.asc
Description: PGP signature
