Am 19.09.14 um 06:34 schrieb Paul Wise:
On Fri, Sep 19, 2014 at 9:30 AM, Hans-Christoph Steiner wrote:

Finally did this:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762153
Please note that you proposal to add signatures to .deb files will
break reproducible builds because the hash of the .deb will differ
depending on who signed it:

https://wiki.debian.org/ReproducibleBuilds

I think it would be far better to ship detached signatures in the
archive since that allows for reproducible builds and also means there
could be more than one signer (say one buildd, one Debian sponsor and
one package maintainer).

Isn`t there really any way to include the signatures in the header of the .deb files? Why not simply add multiple signature files in the control.tar.gz of a .deb just next to the md5sums which should in deed be a sha256sums (otherwise there is no way to establish a 'chain of trust'). That would not add any non-determinism because
if it is done right then we can have all the signers in the package!
It would be far better than detaching the signatures from the package because the general use case where you need package signatures is the manual download
of packages. Detached signatures are completely useless for such a use case!






_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Reply via email to