Hans-Christoph Steiner: > > This makes `.deb` hard to use without a repository for anything > > substantial. I would assume that's why Ubuntu developed the Click > > package format. > > Check out apt-offline, it makes this process easy.
I know about apt-offline. But that was basically my point: you don't manipulate `.deb` by themselves easily as I've seen people do with APKs. It's external tools which make it easy. You were saying that we needed verifications to be as transparent and automatic as possible. I agree. We have tools which make it happen instead of asking for raw low-level interfaces. > But .buildinfo is not a replacement for the embedded signature with an > immutable signature. They solve different problems. This embedded signature > idea is not really directly related to reproducible builds, but dkg started > this thread here so I responded. Except that embedded signatures break the idea of independently reproducible builds. It means that on top of a description of the build environment and the source code, I now need to retrieve a digital signature from the original build if I want it to match. -- Lunar .''`. lu...@debian.org : :Ⓐ : # apt-get install anarchism `. `'` `-
Description: Digital signature
_______________________________________________ Reproducible-builds mailing list Reproducibleemail@example.com http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds