Hey :) On 9/2/25 1:55 PM, Guillem Jover wrote:
To be very honest, I've seen the reproducible and key rotation problems to be such a concern that I don't think we'd want to have those in the archive. I think embedded signatures do make sense if your primary way to transport .debs is off-repos and/or you also want to track provenance, have a small set of binaries, or are prepared to rebuild everything to be able to re-sign (even on a stable release), otherwise for something like Debian the current repo-signing has always felt superior in all possible ways.
I think there is a certain appeal if we could trust the archive only for versioning (i.e. the set of packages in a suite) and not for content. But that would be very far from where we are and key rotation would need to be built into the system. At which point it should probably be some sort of detached signature, not an embedded one.
And IMA has indeed the same exact problem, where I'm also not convinced at all about them for the Debian archive. Yet, I still think it would be nice to have a format that might make it possible to explore that, because perhaps for some organizations or distribution methods it does make sense. (Because decoupling the IMA signatures from the general filesystem metadata payload means injecting or changing them is going to be way easier.)
Yeah that's fair. Having a format where you can just append some signatures on the fly might make sense here. But then maybe they would need to be authenticated differently than the repo root of trust.
Kind regards and thanks for working on this Philipp Kern
