Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

On 09/21/2014 02:04 PM, Elmar Stellnberger wrote: > a well programmed dpkg-cmp. > ... and as long as the tool should not be available simply un-ar and > compare > the data.tar.gz-s. fwiw, this suggestion fails to compare the contents of control.tar.gz, which includes the maintainer scripts (preins

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

On 09/22/2014 04:07 AM, Elmar Stellnberger wrote: > Am 22.09.14 um 01:52 schrieb Paul Wise: >> The Debian archive does not allow files to change their checksum, so >> every signature addition requires a new version number. That sounds >> like a bad idea to me. > Yes, that is something we definitel

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

Am 22.09.14 um 01:52 schrieb Paul Wise: On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote: A package with some new signatures added is no more the old package. That is exactly what we do *not* want for reproducible builds. It should have a different checksum and be made available