Jérémy Bobbio wrote:
> Hans-Christoph Steiner:
>>> This makes `.deb` hard to use without a repository for anything
>>> substantial. I would assume that's why Ubuntu developed the Click
>>> package format.
>> Check out apt-offline, it makes this process easy.
> I know about apt-offline. But that was basically my point: you don't
> manipulate `.deb` by themselves easily as I've seen people do with APKs.
> It's external tools which make it easy.
> You were saying that we needed verifications to be as transparent and
> automatic as possible. I agree. We have tools which make it happen
> instead of asking for raw low-level interfaces.

But the apt signatures expire after two weeks.  So that does not work for an
offline system.

>> But .buildinfo is not a replacement for the embedded signature with an
>> immutable signature.  They solve different problems.  This embedded signature
>> idea is not really directly related to reproducible builds, but dkg started
>> this thread here so I responded.
> Except that embedded signatures break the idea of independently
> reproducible builds. It means that on top of a description of the build
> environment and the source code, I now need to retrieve a digital
> signature from the original build if I want it to match.

It really does not break reproducible builds, if implemented properly. Just
include the complete canonical signature in .buildinfo in base64 format.  I
don't see the problem there.


PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

Reproducible-builds mailing list

Reply via email to