Package: dpkg-dev Version: 1.18.13 Severity: important Dear Maintainer,
We would like dpkg-buildpackage to clearsign the buildinfo files that are created. This allows them to be uploaded to services similar to keyservers, for auditing and attestation purposes, that may be run independently of the FTP archive. Furthermore, we would like user-side tools to download and perform other security-related logic on the signed buildinfo files - e.g. being able to see how many, and exactly who else, managed to *actually reproduce* the binaries that one has installed. Neither these services nor user-tools need to perform archive-related duties or operations, and therefore would prefer to work directly with signed buildinfo files, rather than with signed .changes files plus an unsigned .buildinfo file (which is what the current situation would force). For more discussion on the rationale and intent see here: https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles#Signatures https://wiki.debian.org/ReproducibleBuilds/BuildinfoInfrastructure An analogy that might be helpful is X509 certificates. These are signed attestations by a CA (the signer) that "(I believe) key K belongs to entity E". Compare this with a signed buildinfo file, which is a signed attestation that "I built binary X from [etc]". I'm happy to write this patch myself. That will take a little bit more time - I wanted to file this bug report early to check that you're not opposed to this idea - and before too many other tools start assuming that buildinfo files are unsigned. I think this should not be the case by default, just as you rarely see an unsigned .dsc being distributed. There would also be a -ub option added, along the same lines as -us and -uc. Then debsign from devscripts will also need to be updated, and I'll be happy to write the patch for this too. X -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable'), (300, 'unstable'), (200, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dpkg-dev depends on: ii binutils 2.27-9+b1 ii bzip2 1.0.6-8 ii libdpkg-perl 1.18.13 ii make 4.1-9 ii patch 2.7.5-1 pn perl:any <none> ii tar 1.29b-1 ii xz-utils 5.2.2-1.2 Versions of packages dpkg-dev recommends: ii build-essential 12.2 ii clang-3.5 [c-compiler] 1:3.5.2-5 ii fakeroot 1.21-2 ii gcc [c-compiler] 4:6.1.1-1 ii gcc-6 [c-compiler] 6.2.0-10 ii gnupg 2.1.15-4 ii gnupg2 2.1.15-4 ii gpgv 2.1.15-4 ii libalgorithm-merge-perl 0.08-3 Versions of packages dpkg-dev suggests: ii debian-keyring 2016.09.04 -- no debconf information _______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds