Mail archive

Re: [alpine-devel] Report from Reproducible builds summit 2018

From: Chloe Kudryavtsev <>
Date: Mon, 17 Dec 2018 23:07:41 -0500

On 12/17/18 7:33 AM, Natanael Copa wrote:
> * we may need to store the exact versions and/or hashes of the
> dependencies used when a package was built. I am not sure where we
> want store this. Maybe in the APKINDEX?

I think this is a good idea. Mostly a note in regards to the next comment.

> * we embed the signature in the .apk, which means its not possible to
> re-create the exact same .apk without having access to the private
> key. I'm not sure how to deal with that.

I do not believe we need to allow for that.
Since we want to store exact versions/hashes of dependencies in the
.apk, I believe we can also store a hash of the resulting tree,
pre-signature (meaning we sign the hash as well).
This hash should be visible using apk(1), to allow people to
programmatically verify that two .apks are the same internally, and
guarantees the integrity of the has in mirrors.

Received on Mon Dec 17 2018 - 23:07:41 UTC