On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote: > A package with some new signatures added is no more the old package.
That is exactly what we do *not* want for reproducible builds. > It should have a different checksum and be made available again for update. The Debian archive does not allow files to change their checksum, so every signature addition requires a new version number. That sounds like a bad idea to me. > Perhaps someone wants to install the package not before certain signatures > have been added. Thats a good idea and it could certainly be implemented with the design behind reproducible builds as well. > Your thought experiment would this way of course require an adjusted > toolchain i.e. sth. like dpkg-cmp that outputs differences in the We definitely need a tool like this for reproducible builds and indeed it already exists: https://wiki.debian.org/ReproducibleBuilds#bash_script_to_compare_two_package_builds Reproducible builds and independent verification of those builds by multiple parties -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6GJWbA7C66SashTWCFixJpdL=yhhk7nv8rkamcktbf...@mail.gmail.com