On 2014-09-21 20:04, Elmar Stellnberger wrote:
A package with some new signatures added is no more the old package.
It should have a different checksum and be made available again for update.
Perhaps someone wants to install the package not before certain signatures
have been added.
If a
On 21 sep. 2014, at 20:29, W. Martin Borgert deba...@debian.org wrote:
If a package would change by adding another signature, then this
would invalidate previous signatures.
Package formats like apk and jar avoid this chicken and egg problem by hashing
the files inside a package, and storing
Source: libgpg-error
Version: 1.16-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertag: timestamps
Hi!
As part of the “reproducible builds” effort [1], it was detected that
libgpg-error could not be built reproducibly.
The build process capture the time of
On 2014-09-21 21:13, Richard van den Berg wrote:
Package formats like apk and jar avoid this chicken and egg problem by
hashing the files inside a package, and storing those hashes in a manifest
file.
Is there a chicken and egg problem? Only if one insists on embedding
the signatures in one
On Sun, Sep 21, 2014 at 10:45:14PM +0200, Jérémy Bobbio wrote:
As part of the “reproducible builds” effort [1], it was detected that
libgpg-error could not be built reproducibly.
The build process capture the time of the build. This piece of
information is not really helpful to anyone and
On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote:
A package with some new signatures added is no more the old package.
That is exactly what we do *not* want for reproducible builds.
It should have a different checksum and be made available again for update.
The Debian archive
