Hans-Christoph Steiner:
> > This makes `.deb` hard to use without a repository for anything
> > substantial. I would assume that's why Ubuntu developed the Click
> > package format.
> Check out apt-offline, it makes this process easy.

I know about apt-offline. But that was basically my point: you don't
manipulate `.deb` by themselves easily as I've seen people do with APKs.
It's external tools which make it easy.

You were saying that we needed verifications to be as transparent and
automatic as possible. I agree. We have tools which make it happen
instead of asking for raw low-level interfaces.

> But .buildinfo is not a replacement for the embedded signature with an
> immutable signature.  They solve different problems.  This embedded signature
> idea is not really directly related to reproducible builds, but dkg started
> this thread here so I responded.

Except that embedded signatures break the idea of independently
reproducible builds. It means that on top of a description of the build
environment and the source code, I now need to retrieve a digital
signature from the original build if I want it to match.

Lunar                                .''`. 
lu...@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 

Attachment: signature.asc
Description: Digital signature

Reproducible-builds mailing list

Reply via email to