What should be the proper practice to manage `.dsc` files on Reprepro?

David A. Wheeler dwheeler at dwheeler.com
Fri May 27 18:48:52 UTC 2022

I think that in general *signatures* should be separated from *what they are signing*, preferably by being different files.

This solves reproducibility problems. It also solves other problems, e.g., it's quite possible for multiple people to sign something (e.g., "I also approve of this") - that shouldn't change what was being signed.

Of course, it's possible to interpret a file as two parts, the part being signed & the signatures. So it's definitely *possible* to combine them. But there are risks that the split will be implemented incorrectly. It's easier if they're always handled separately; it reduces the risk of incorrect handling.

--- David A. Wheeler

More information about the rb-general mailing list