Ximin Luo:
> Signatures provide a way to for us to aggregate public trust on binaries that
> don't build themselves. So it's important to have multiple and *very direct*
> meanings of what-is-being-signed, to avoid a transitive-trust situation.
>
I sent this in a rush; better version:
Signatures
Jonathan McDowell:
> On Sun, Aug 21, 2016 at 04:01:00PM +, Ximin Luo wrote:
>> You have this backwards.
>>
>> "Being able to verify individually who build each of the packages I'm
>> running"
>>
>> is *exactly* what is required to *not* have to
>>
>> "attribute trust of *all* of the people who
On 2016-07-25, Jonathan McDowell wrote:
> I propose instead a Buildinfo.xz (or gz or whatever) file, which is
> single text file with containing all of the buildinfo information that
> corresponds to the Packages list. What is lost by this approach are the
> OpenPGP signatures that .buildinfo files
Having been impressed by the current status of reproducible builds and
the fact it looks like we're close to having the important pieces in
Debian proper, I have started to have a look at how I could help out
with this bug. I've done some poking around in the dak code, and think I
have a vague idea
4 matches
Mail list logo
