What should be the proper practice to manage `.dsc` files on Reprepro?

Vagrant Cascadian vagrant at reproducible-builds.org
Fri May 27 19:22:23 UTC 2022


On 2022-05-27, David A. Wheeler wrote:
> I think that in general *signatures* should be separated from *what
> they are signing*, preferably by being different files.
>
> This solves reproducibility problems. It also solves other problems,
> e.g., it's quite possible for multiple people to sign something (e.g.,
> "I also approve of this") - that shouldn't change what was being
> signed.
>
> Of course, it's possible to interpret a file as two parts, the part
> being signed & the signatures. So it's definitely *possible* to
> combine them. But there are risks that the split will be implemented
> incorrectly. It's easier if they're always handled separately; it
> reduces the risk of incorrect handling.

Absolutely agreed!

That said, in the context of Debian's .dsc files, there are decades of
history here that are not likely to change... any time soon.

Though really, the .dsc files themselves are in fact the signed metadata
here; the actual data is the PAKAGAGE_VERSION.orig.tar.gz and other
files that the .dsc file references. Though that still makes it a little
tricky to have multi-party signatures...


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20220527/9d34d6ea/attachment.sig>


More information about the rb-general mailing list