Daniel Kahn Gillmor:
> Hi all--
>
> On Mon 2016-11-14 12:13:00 -0500, Ximin Luo wrote:
>> A GPG signature with a 4096-bit key is about 800 bytes in base 64:
>>
>> http://ftp.debian.org/debian/dists/sid/ (has 2 signatures, if you use `gpg
>> --list-packets`)
>> http://ppa.launchpad.net/infinity0/rust-nightly/ubuntu/dists/yakkety/
>>
>> so it would be about 600 bytes compressed. Across 24000 source packages,
>> this would be
>>
>> 600 * 24000 ~= 13.7MB
>>
>> per architecture (including for arch:all). This doesn't seem too bad
>> actually.
>
> If size is a concern, we can make this much smaller by using ed25519 or
> ecdsa P256 signatures from the buildd's instead of RSA 4096. gpgv in
> Debian stretch is able to validate these signatures, and gpg in Debian
> stretch is able to produce them. This should reduce the total size of
> the signatures to about ~1MiB per architecture, if i'm calculating this
> correctly.
>
We should definitely do this yes, if it's feasible. It would only *decrease*
the size for non-amd64 arches.
For amd64, I think one nice idea we had way back when was for developers to do
source-only uploads, but with a signed buildinfo file that includes the binary
hashes, for the buildds to try to match. In that case, we'd still prefer to
keep and distribute these large signatures rather than discarding them. But the
"matching signature" from the buildd should definitely be ed25519 to avoid
increasing this 13.7 figure even further.
(Assuming most DDs won't start switching to ed25519 themselves, for another few
years.)
>> In total, this would be (9+13)*2 (one arch:all, one arch:$native) ~=
>> 50MB download, which considering the advantage of not having to
>> contact a 3rd party, I think is just about worth it, even if you only
>> want to rebuild a few packages.
>
> Can you explain this computation? i'm assuming 9 is the number of
> debian architectures. If an architectures builds both arch:all and
> arch:$native, it can do it in a single build, producing a single
> (signed) buildinfo file. right? so why the 2?
>
Sorry, I skipped many steps. This calculation is not about the cost to the
mirror network. I'm assuming a few hundred extra MB over 10-20 files is going
to be easy to cope with, and the debug-mirror switch that was already done more
than offsets this cost.
The calculation was about the worst-case cost, in case 1 rebuilder wants to
build 1 source package. They would have to download
Buildinfos-{all,$native}{,.sigs}.xz. By the previous estimates this would be:
Buildinfos-all.xz 9MB
Buildinfos-all.sigs.xz 14MB
Buildinfos-amd64.xz 9MB
Buildinfos-amd64.sigs.xz 14MB
------------------------------
Total 46MB
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
