hiding data/code in Android APK embedded signatures

Holger Levsen holger at layer-acht.org
Thu Feb 2 14:39:17 UTC 2023

On Wed, Feb 01, 2023 at 08:40:46PM -0500, David A. Wheeler wrote:
> Maybe call it "Ways to combine reproducible builds with signatures and other metadata"?
"other metadata" brings .buildinfo files^w^wSBOMs to my mind and indeed we
have (at least) two concepts here, including the .buildinfo into the package,
as Arch Linux does, and having a seperate .buildinfo file, like Debian does.

I've come to think that including the .buildinfo into the package is the
better way (because the advantages outweight the disadvantages), contrary
to what I thought in 2016 and later, but I don't see Debian changing this
"any time soon", sadly.


 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C

None of us are safe until all of us are safe. Vaccinate the world.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230202/4499ff8c/attachment.sig>

More information about the rb-general mailing list