On Wed, Aug 28, 2013 at 11:45:07PM -0400, Hans-Christoph Steiner wrote: > I want to run an unusual idea by everyone here as an approach to getting an > outside signature into a packaged Java jar built from source on the Debian > build machines: we want to get http://martus.org packaged and into Debian. > Martus is an app that has high requirements for security, so they have a very > careful build and signing process. They want to be able to include their jar > signature in the jar that is included in the Debian package.
Is there a reason that it needs to be signed? Will the server software for instance reject in talking to client if the client isn't signed? I don't really see how it could do that. The shipment of files in Debian already is being signed. That is you can be sure that the .deb file is really what is in Debian. That however doesn't mean that someone might somehow have altered the .jar file after installation. But if they have altered the .jar file, there is nothing that prevents from from altering other files and I don't see how you prevent running an altered the .jar file with the signature. So I have to wonder what the added benefit is of having those files checked in Debian. I'm sure that it's very useful for checking what they ship and that people can verify that what they downloaded was correct. It would also be useful if they could somehow make those build reproducible, and so don't contain timestamps, so that everybody can verify that that .jar file they ship and the source match. Kurt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
