Hi all-- On Mon 2016-11-14 12:13:00 -0500, Ximin Luo wrote: > A GPG signature with a 4096-bit key is about 800 bytes in base 64: > > http://ftp.debian.org/debian/dists/sid/ (has 2 signatures, if you use `gpg > --list-packets`) > http://ppa.launchpad.net/infinity0/rust-nightly/ubuntu/dists/yakkety/ > > so it would be about 600 bytes compressed. Across 24000 source packages, this > would be > > 600 * 24000 ~= 13.7MB > > per architecture (including for arch:all). This doesn't seem too bad actually.
If size is a concern, we can make this much smaller by using ed25519 or ecdsa P256 signatures from the buildd's instead of RSA 4096. gpgv in Debian stretch is able to validate these signatures, and gpg in Debian stretch is able to produce them. This should reduce the total size of the signatures to about ~1MiB per architecture, if i'm calculating this correctly. > In total, this would be (9+13)*2 (one arch:all, one arch:$native) ~= > 50MB download, which considering the advantage of not having to > contact a 3rd party, I think is just about worth it, even if you only > want to rebuild a few packages. Can you explain this computation? i'm assuming 9 is the number of debian architectures. If an architectures builds both arch:all and arch:$native, it can do it in a single build, producing a single (signed) buildinfo file. right? so why the 2? so the extra cost of the signatures is ~9*13 -- one signed copy from each architecture's buildd, which is 104MB. Using smaller signing keys on the buildd's sounds better to me. --dkg
signature.asc
Description: PGP signature
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds