On 09/22/2014 04:07 AM, Elmar Stellnberger wrote: > Am 22.09.14 um 01:52 schrieb Paul Wise: >> The Debian archive does not allow files to change their checksum, so >> every signature addition requires a new version number. That sounds >> like a bad idea to me. > Yes, that is something we definitely do not want. > Nonetheless it would still be an issue to have the package and the > signatures > in one file because we usually need them together. My only idea to > realize this > in spite of the said objection would be another proposal: > Put the .deb and the signatures into one .ar called .sdeb and make tools > like > dpkg work on .sdebs or on .deb + signatures respecively. Whenever someone > offers some packages for download that will be in the form of .sdebs while > official debian repositories may separate both kinds of files. User > interfaces > like http://debtags.debian.net/search/ could then generate .sdebs on the > fly > to satisfy petted users.
This is almost exactly what i proposed a couple days ago on the reproducible-builds mailing list , except that i used the extension .debs instead of .sdeb :) --dkg  http://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20140915/000432.html
Description: OpenPGP digital signature
_______________________________________________ Reproducible-builds mailing list Reproduciblefirstname.lastname@example.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds