On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote:

>    A package with some new signatures added is no more the old package.

That is exactly what we do *not* want for reproducible builds.

> It should have a different checksum and be made available again for update.

The Debian archive does not allow files to change their checksum, so
every signature addition requires a new version number. That sounds
like a bad idea to me.

> Perhaps someone wants to install the package not before certain signatures
> have been added.

Thats a good idea and it could certainly be implemented with the
design behind reproducible builds as well.

> Your thought experiment would this way of course require an adjusted
> toolchain i.e. sth. like dpkg-cmp that outputs differences in the

We definitely need a tool like this for reproducible builds and indeed
it already exists:

https://wiki.debian.org/ReproducibleBuilds#bash_script_to_compare_two_package_builds

Reproducible builds and independent verification of those builds by
multiple parties

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Reply via email to