X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail.toastin.space (mail.toastin.space [207.246.93.162]) by lists.alpinelinux.org (Postfix) with ESMTP id 6AAD6F84F19 for ; Tue, 18 Dec 2018 04:07:42 +0000 (UTC) Received: from mail.toastin.space (localhost [127.0.0.1]) by mail.toastin.space (OpenSMTPD) with ESMTP id 728e78d7 for ; Mon, 17 Dec 2018 23:07:42 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=toastin.space; h=subject :to:references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=ml; bh=4EynlwYxM68/mq t0R+1aC1WUe6o=; b=bYvQE7f3nOXp4ftEODq+xt2SGmYaSIlT54N9te2PgNhjDU rwTgoBsvkz33lxQilXIW2m08SzoyVRsNFfdtBLNsbXMxFh975mcBPi9MQ49uMJXb 1dQCfP4ZlIm0yEagkd2VCLrLSEKPQw1ccU4hY9VIfB6YWXg0X1Hh+XXoVIMd/nHO 3H1g/kz827EWCDohbkZUumFSxmM6TampFo6gLgbCFLbcQhmYfpcvEnYEsfoHTQjH DCOMpfB2WAQKzznTxavrQleDXkIGe+UGN2q+fOXaqjJFY9z2npkIQkQw4t+6pnLf txj4LpYVxsA5kWDWoMmn7hTCE93BkgvQUfDkk3HA== DomainKey-Signature: a=rsa-sha1; c=nofws; d=toastin.space; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; q=dns; s=ml; b=q41Pbyem cnlppoykEzaBAPkcFwh1nvzhcf7KhapmpdkJLzTCu1cbZEYsgyZfLe8jFBRxdhzS ek96YcGLDSW9MMfp865nQTnugY7MTQnVauzELRPvpKJBieEVVB387GO2H3UWIPBR wQ7IFa/8GbGYXUW1VTR+Uc+IH0Zz8R63919OywQZRqhfjrmjaS1/v5IR5j/aktj+ SboO5X0i3WuqrISAXAmH84IS/PMgSLg/jBVLlWtHRzxr5zNDE2vXUDITb3tKxEzS hz4ZSKI1U4EWtNcgBgbQpTOvPoTXLyE9GTdE9XxgIE+YjiIBCsPKrvUp93Qj6gle qQmWGHW86CWKaQ== Received: from [192.168.0.21] (192-222-169-215.qc.cable.ebox.net [192.222.169.215]) by mail.toastin.space (OpenSMTPD) with ESMTPSA id 5863cc5f (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Mon, 17 Dec 2018 23:07:42 -0500 (EST) Subject: Re: [alpine-devel] Report from Reproducible builds summit 2018 To: alpine-devel@lists.alpinelinux.org References: <20181217133328.4dd1ef26@ncopa-desktop.copa.dup.pw> From: Chloe Kudryavtsev Message-ID: <1a664e98-3f41-5503-60af-98865c0b785f@toastin.space> Date: Mon, 17 Dec 2018 23:07:41 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.3 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 In-Reply-To: <20181217133328.4dd1ef26@ncopa-desktop.copa.dup.pw> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 12/17/18 7:33 AM, Natanael Copa wrote: > * we may need to store the exact versions and/or hashes of the > dependencies used when a package was built. I am not sure where we > want store this. Maybe in the APKINDEX? I think this is a good idea. Mostly a note in regards to the next comment. > * we embed the signature in the .apk, which means its not possible to > re-create the exact same .apk without having access to the private > key. I'm not sure how to deal with that. I do not believe we need to allow for that. Since we want to store exact versions/hashes of dependencies in the .apk, I believe we can also store a hash of the resulting tree, pre-signature (meaning we sign the hash as well). This hash should be visible using apk(1), to allow people to programmatically verify that two .apks are the same internally, and guarantees the integrity of the has in mirrors. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---