Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > linux.debian.devel > #119519

Re: Hard Rust requirements from May onward

From Simon Josefsson <simon@josefsson.org>
Newsgroups linux.debian.devel
Subject Re: Hard Rust requirements from May onward
Date 2025-11-09 23:00 +0100
Message-ID <LPlC2-bKHO-13@gated-at.bofh.it> (permalink)
References (6 earlier) <LMkVP-9FTx-3@gated-at.bofh.it> <LMpC9-9JdA-1@gated-at.bofh.it> <LMq5b-9JG6-1@gated-at.bofh.it> <LMCJ3-9S05-3@gated-at.bofh.it> <LPkmC-bJVj-13@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Philipp Kern <pkern@debian.org> writes:

> Hi,
>
> On 11/2/25 10:32 AM, Simon Josefsson wrote:
>> Philipp Kern <pkern@debian.org> writes:
>> 
>>> In trying to retrofit this I also ran into the classic "and now I have
>>> an additional file to InRelease to provide the inclusion proof"
>>> problem.
>> What do you think about putting all signatures in the InRelease
>> file?
>> The content to sign would be the same as the text in the PGP-armored
>> InRelease file, which (modulo the long-standing final newline
>> misbehaviour) is the same as the content of the Release file.
>
> Wouldn't that break existing consumption of the file by apt and we
> would need a new one? Or does apt ignore bytes after the signature?

Current apt frowns upon such a file, but presumably that could be fixed
in forky.  I suppose forky could still rely on PGP by default, but could
support Sigstore/Sigsum/SSH/minisign/signify/whatever in addition to
PGP, if people turn a knob.

I don't know how things are implemented on the server side, or who the
responsible people are -- I suppose some people may consider it less
risky to introduce a new file and migrate to it, than to modify the
existing InRelease files.

> Similarly there is a question of what exactly to sign, with GPG's
> cleartext canonicalization and all.

Yes -- that should be fixed.  From a specification/policy point of view,
I think what should be done is simple: forget about Release+Release.gpg
as obsolete, and only use InRelease files.  What to sign is the YAML
content with all lines ending with EOL.

Right now there is ambiguity: the InRelease signatures are computed on
Release content without a terminating EOL, IIRC.

Or are you aware that cleartext canonicalization is used for anything
but the terminating EOL?  I think the only difference between
unprocessed Release content and processed InRelease content is the
terminating EOL, which I don't know the history for but presumably is
for some historic reason.

Some new policy could demand that YAML archive info ought to be
formatted in a way that survives identically PGP cleartext formatting.
I think that subset covers reasonable files.

/Simon

Back to linux.debian.devel | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Hard Rust requirements from May onward Julian Andres Klode <jak@debian.org> - 2025-10-31 21:50 +0100
  Re: Hard Rust requirements from May onward John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> - 2025-10-31 22:40 +0100
    Re: Hard Rust requirements from May onward Simon Richter <sjr@debian.org> - 2025-11-01 04:20 +0100
      Re: Hard Rust requirements from May onward Geert Stappers <stappers@stappers.nl> - 2025-11-01 08:40 +0100
        Re: Hard Rust requirements from May onward Bjørn Mork <bjorn@mork.no> - 2025-11-01 13:40 +0100
          Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-01 14:40 +0100
            Re: Hard Rust requirements from May onward Andrey Rakhmatullin <wrar@debian.org> - 2025-11-01 15:40 +0100
              Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-01 20:40 +0100
                Re: Hard Rust requirements from May onward Philipp Kern <pkern@debian.org> - 2025-11-01 21:10 +0100
                Re: Hard Rust requirements from May onward Holger Levsen <holger@layer-acht.org> - 2025-11-02 00:20 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-02 10:30 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-02 10:40 +0100
                Re: Hard Rust requirements from May onward Philipp Kern <pkern@debian.org> - 2025-11-09 21:40 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-09 23:00 +0100
                Re: Hard Rust requirements from May onward Philipp Kern <phil@philkern.de> - 2025-11-09 23:30 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-10 11:40 +0100
                Re: Hard Rust requirements from May onward Andrey Rakhmatullin <wrar@debian.org> - 2025-11-10 12:20 +0100
                Re: Hard Rust requirements from May onward Holger Levsen <holger@layer-acht.org> - 2025-11-10 13:40 +0100
                Re: Hard Rust requirements from May onward Simon Richter <sjr@debian.org> - 2025-11-10 04:10 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-10 12:00 +0100
                Re: Hard Rust requirements from May onward Simon Richter <sjr@debian.org> - 2025-11-10 15:00 +0100
                Re: Hard Rust requirements from May onward David Kalnischkies <david@kalnischkies.de> - 2025-11-10 17:50 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-10 20:20 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-10 20:30 +0100
                Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust  requirements] Simon McVittie <smcv@debian.org> - 2025-11-10 17:10 +0100
                Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust  requirements] Stefano Rivera <stefanor@debian.org> - 2025-11-13 13:20 +0100
                Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust  requirements] Simon Josefsson <simon@josefsson.org> - 2025-11-13 18:20 +0100
          Re: Hard Rust requirements from May onward Russ Allbery <rra@debian.org> - 2025-11-01 17:50 +0100
          Re: Hard Rust requirements from May onward Christoph Biedl <debian.axhn@manchmal.in-ulm.de> - 2025-11-05 09:10 +0100
        Re: Re: Hard Rust requirements from May onward John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> - 2025-11-02 11:20 +0100
    Re: Hard Rust requirements from May onward Antoni Boucher <bouanto@zoho.com> - 2025-11-01 16:30 +0100
      Re: Hard Rust requirements from May onward John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> - 2025-11-02 11:50 +0100
        Re: Hard Rust requirements from May onward Antoni Boucher <bouanto@zoho.com> - 2025-11-02 16:30 +0100
  Re: Hard Rust requirements from May onward Julian Andres Klode <jak@debian.org> - 2025-10-31 22:50 +0100
  Re: Hard Rust requirements from May onward Paul Tagliamonte <paultag@debian.org> - 2025-11-01 15:20 +0100
    Re: Hard Rust requirements from May onward Paul Tagliamonte <paultag@debian.org> - 2025-11-01 15:20 +0100
    Re: Re: Hard Rust requirements from May onward John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> - 2025-11-02 11:30 +0100
    Re: Hard Rust requirements from May onward Bill Allombert <ballombe@debian.org> - 2025-11-02 15:40 +0100
  Re: Hard Rust requirements from May onward Joerg Jaspert <joerg@debian.org> - 2025-11-02 13:10 +0100
    Re: Hard Rust requirements from May onward Richard Lewis <richard.lewis.debian@googlemail.com> - 2025-11-02 16:20 +0100
      Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-02 18:10 +0100
    Re: Hard Rust requirements from May onward Julian Andres Klode <jak@debian.org> - 2025-11-02 17:30 +0100
      Re: Hard Rust requirements from May onward Joerg Jaspert <joerg@debian.org> - 2025-11-02 17:40 +0100
    Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-03 23:20 +0100
      Re: Hard Rust requirements from May onward Ansgar 🙀 <ansgar@debian.org> - 2025-11-04 07:30 +0100
        Re: Hard Rust requirements from May onward Mike Hommey <mh@glandium.org> - 2025-11-04 08:10 +0100
        Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 11:50 +0100
          Re: Hard Rust requirements from May onward Simon Richter <sjr@debian.org> - 2025-11-04 12:10 +0100
            Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 13:30 +0100
              Vendoring Simon Richter <sjr@debian.org> - 2025-11-04 13:50 +0100
          Re: Hard Rust requirements from May onward Holger Levsen <holger@layer-acht.org> - 2025-11-04 13:20 +0100
            Re: Hard Rust requirements from May onward Simon Richter <sjr@debian.org> - 2025-11-04 13:30 +0100
            Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 16:00 +0100
              Re: Hard Rust requirements from May onward Holger Levsen <holger@layer-acht.org> - 2025-11-04 16:50 +0100
                Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 19:40 +0100
        Re: Hard Rust requirements from May onward Stephan Verbücheln <verbuecheln@posteo.de> - 2025-11-04 15:30 +0100
          Re: Hard Rust requirements from May onward Fabian Grünbichler <debian@fabian.gruenbichler.email> - 2025-11-04 18:40 +0100
      Re: Hard Rust requirements from May onward Fabian Grünbichler <debian@fabian.gruenbichler.email> - 2025-11-04 18:30 +0100
        Re: Hard Rust requirements from May onward Sebastian Ramacher <sramacher@debian.org> - 2025-11-04 19:10 +0100
          Re: Hard Rust requirements from May onward Fabian Grünbichler <debian@fabian.gruenbichler.email> - 2025-11-04 19:40 +0100
        Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 20:10 +0100
          Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 21:50 +0100
          Re: Hard Rust requirements from May onward Fabian Grünbichler <debian@fabian.gruenbichler.email> - 2025-11-05 07:50 +0100
            Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-05 12:10 +0100
        Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-05 18:40 +0100
        Re: Hard Rust requirements from May onward Philipp Kern <pkern@debian.org> - 2025-11-06 22:10 +0100
    Re: Hard Rust requirements from May onward Sean Whitton <spwhitton@spwhitton.name> - 2025-11-05 16:00 +0100
  Re: Hard Rust requirements from May onward David Kalnischkies <david@kalnischkies.de> - 2025-11-03 13:40 +0100
    apt-ftparchive alternatives (was: Hard Rust requirements from May  onward) Jeremy Stanley <fungi@yuggoth.org> - 2025-11-03 19:00 +0100
      Re: apt-ftparchive alternatives (was: Hard Rust requirements from  May onward) nick black <dankamongmen@gmail.com> - 2025-11-03 19:50 +0100
        Re: apt-ftparchive alternatives (was: Hard Rust requirements from  May onward) Jeremy Stanley <fungi@yuggoth.org> - 2025-11-03 20:00 +0100
          Re: apt-ftparchive alternatives (was: Hard Rust requirements from  May onward) Peter Pentchev <roam@ringlet.net> - 2025-11-03 21:00 +0100
          Re: apt-ftparchive alternatives Richard Lewis <richard.lewis.debian@googlemail.com> - 2025-11-15 14:00 +0100
      Re: apt-ftparchive alternatives (was: Hard Rust requirements from  May onward) David Kalnischkies <david@kalnischkies.de> - 2025-11-05 16:10 +0100
        Re: apt-ftparchive alternatives Ahmad Khalifa <ahmad@khalifa.ws> - 2025-11-06 22:20 +0100
          Re: apt-ftparchive alternatives David Kalnischkies <david@kalnischkies.de> - 2025-11-09 17:00 +0100
            Re: apt-ftparchive alternatives Ahmad Khalifa <ahmad@khalifa.ws> - 2025-11-09 21:50 +0100
              Re: apt-ftparchive alternatives David Kalnischkies <david@kalnischkies.de> - 2025-11-10 14:00 +0100

csiph-web