On Mon, Oct 9, 2017 at 17:38:56 +0100, Steve McIntyre wrote: > On Mon, Oct 09, 2017 at 02:01:15PM +0100, Ben Hutchings wrote: > >It also makes all these packages unreproducible, which is a policy > >violation. > > Surely *anything* with a signature is going to be unreproducible > directly, by definition. To check for reproducibility, you'll need to > strip the signatures. Or are you claiming something else? > No, the previous scheme allowed reproducibility (in the "dpkg-buildpackage from the source package results in the exact same .deb files" sense), since the signatures were shipped as part of a source package. Attaching fixed signatures to fixed binaries is reproducible.
Cheers, Julien
