On Tue 2016-12-06 17:41:34 -0500, Jonathan McDowell wrote: > The storage of the hashes of the signed buildinfo files in Packages.gz > seems to be in order to deal with the fact that the signature is not > available elsewhere. If dkg's suggestion of using ECC signatures is > followed then some quick checking shows a signature size of 165 bytes > (when ASCII armoured). This seems sufficiently small to me that you > could just map it into a Signature: field at the end of the buildinfo > stanza within buildinfo.xz, with the bonus that at some point that would > allow for multiple such fields, all within the archive mirror network.
I'd be wary about this "multiple such fields" bit. it seems likely that
different buildinfo files will not match each other, even if the
*output* is reproducible. This is because buildinfo files can capture
some things that do not have an impact on the resultant binary
artifacts.
Otherwise, though, i agree with Jonathan that stuffing a small signature
into the buildinfo file itself seems OK.
--dkg
signature.asc
Description: PGP signature
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
