[Reproducible-builds] concrete steps for improving apt downloading security and privacy
W. Martin Borgert
debacle at debian.org
Sun Sep 21 18:29:19 UTC 2014
On 2014-09-21 20:04, Elmar Stellnberger wrote:
> A package with some new signatures added is no more the old package.
> It should have a different checksum and be made available again for update.
> Perhaps someone wants to install the package not before certain signatures
> have been added.
If a package would change by adding another signature, then this
would invalidate previous signatures. Exactly because of your
use case (waiting for a number of signatures or waiting for a
specific signature before installation) the signature must be
separated from the actual package.
More information about the Reproducible-builds
mailing list