What should be the proper practice to manage `.dsc` files on Reprepro?
David A. Wheeler
dwheeler at dwheeler.com
Fri May 27 18:48:52 UTC 2022
I think that in general *signatures* should be separated from *what they are signing*, preferably by being different files.
This solves reproducibility problems. It also solves other problems, e.g., it's quite possible for multiple people to sign something (e.g., "I also approve of this") - that shouldn't change what was being signed.
Of course, it's possible to interpret a file as two parts, the part being signed & the signatures. So it's definitely *possible* to combine them. But there are risks that the split will be implemented incorrectly. It's easier if they're always handled separately; it reduces the risk of incorrect handling.
--- David A. Wheeler
More information about the rb-general
mailing list