Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > linux.debian.devel > #119527

Re: Hard Rust requirements from May onward

From Simon Josefsson <simon@josefsson.org>
Newsgroups linux.debian.devel
Subject Re: Hard Rust requirements from May onward
Date 2025-11-10 12:00 +0100
Message-ID <LPxMR-bT3e-1@gated-at.bofh.it> (permalink)
References (8 earlier) <LMq5b-9JG6-1@gated-at.bofh.it> <LMCJ3-9S05-3@gated-at.bofh.it> <LPkmC-bJVj-13@gated-at.bofh.it> <LPlC2-bKHO-13@gated-at.bofh.it> <LPqs1-bO9i-1@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Simon Richter <sjr@debian.org> writes:

> Hi,
>
> On 11/10/25 6:51 AM, Simon Josefsson wrote:
>
>> Yes -- that should be fixed.  From a specification/policy point of view,
>> I think what should be done is simple: forget about Release+Release.gpg
>> as obsolete, and only use InRelease files.  What to sign is the YAML
>> content with all lines ending with EOL.
>
> Is there a need for a file format that supports hierarchical
> structures, or would deb822 work better?

I'm not sure anyone has answers, at least I don't.  Maybe we could list
design considerations?

- Goal: support protection of Release/InRelease using signatures based
  on multiple frameworks such as SSHSIG, Sigstore, Sigsum, minisign,
  signify, age, whatever...

- Nice to have: reduce today's complexity with PGP to only be in one
  file -- I think we could stop publishing Release+Release.gpg and fix
  whatever tooling breaks as a result (apt is mostly fine), relying only
  on InRelease.  This would also drop the number of PGP sig operations.

- Nice to have: don't add round-trip latency fetching multiple files.
  This one argues for putting everyhing in one file, such as extending
  InRelease.

  Maybe this could be achieved through some other mean?  Having a
  per-aptsource configuration indicating the protection method, and then
  only fetch that file?  Such as Release.sigsum or Release.sigstore.  I
  think supporting more than one mechanism isn't entirely unreasonable,
  so this adds two files that needs to be fetched, which isn't optimal.

  Alternatively, continue use Release file but add Release.sigstore and
  Release.sigsum etc?

- Nice to have: plaintext files, YAML or DEB822?

- Critical: a migration plan for how the trixie->forky(->duke)
  transition should work.

- Input from team that supports Release.gpg/InRelease-generation today,
  what are the restrictions and needs?  Presumably having all tools
  needed in stable(+-backports) is required, but I think we mostly
  already do.  Python and C packaging would be nice, if people hate Go.

- Input from apt team, what can be implemented and supported?

/Simon

Back to linux.debian.devel | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Hard Rust requirements from May onward Julian Andres Klode <jak@debian.org> - 2025-10-31 21:50 +0100
  Re: Hard Rust requirements from May onward John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> - 2025-10-31 22:40 +0100
    Re: Hard Rust requirements from May onward Simon Richter <sjr@debian.org> - 2025-11-01 04:20 +0100
      Re: Hard Rust requirements from May onward Geert Stappers <stappers@stappers.nl> - 2025-11-01 08:40 +0100
        Re: Hard Rust requirements from May onward Bjørn Mork <bjorn@mork.no> - 2025-11-01 13:40 +0100
          Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-01 14:40 +0100
            Re: Hard Rust requirements from May onward Andrey Rakhmatullin <wrar@debian.org> - 2025-11-01 15:40 +0100
              Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-01 20:40 +0100
                Re: Hard Rust requirements from May onward Philipp Kern <pkern@debian.org> - 2025-11-01 21:10 +0100
                Re: Hard Rust requirements from May onward Holger Levsen <holger@layer-acht.org> - 2025-11-02 00:20 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-02 10:30 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-02 10:40 +0100
                Re: Hard Rust requirements from May onward Philipp Kern <pkern@debian.org> - 2025-11-09 21:40 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-09 23:00 +0100
                Re: Hard Rust requirements from May onward Philipp Kern <phil@philkern.de> - 2025-11-09 23:30 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-10 11:40 +0100
                Re: Hard Rust requirements from May onward Andrey Rakhmatullin <wrar@debian.org> - 2025-11-10 12:20 +0100
                Re: Hard Rust requirements from May onward Holger Levsen <holger@layer-acht.org> - 2025-11-10 13:40 +0100
                Re: Hard Rust requirements from May onward Simon Richter <sjr@debian.org> - 2025-11-10 04:10 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-10 12:00 +0100
                Re: Hard Rust requirements from May onward Simon Richter <sjr@debian.org> - 2025-11-10 15:00 +0100
                Re: Hard Rust requirements from May onward David Kalnischkies <david@kalnischkies.de> - 2025-11-10 17:50 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-10 20:20 +0100
                Re: Hard Rust requirements from May onward Simon Josefsson <simon@josefsson.org> - 2025-11-10 20:30 +0100
                Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust  requirements] Simon McVittie <smcv@debian.org> - 2025-11-10 17:10 +0100
                Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust  requirements] Stefano Rivera <stefanor@debian.org> - 2025-11-13 13:20 +0100
                Re: purpose of InRelease in apt [was: non-GPG signatures; was: Rust  requirements] Simon Josefsson <simon@josefsson.org> - 2025-11-13 18:20 +0100
          Re: Hard Rust requirements from May onward Russ Allbery <rra@debian.org> - 2025-11-01 17:50 +0100
          Re: Hard Rust requirements from May onward Christoph Biedl <debian.axhn@manchmal.in-ulm.de> - 2025-11-05 09:10 +0100
        Re: Re: Hard Rust requirements from May onward John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> - 2025-11-02 11:20 +0100
    Re: Hard Rust requirements from May onward Antoni Boucher <bouanto@zoho.com> - 2025-11-01 16:30 +0100
      Re: Hard Rust requirements from May onward John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> - 2025-11-02 11:50 +0100
        Re: Hard Rust requirements from May onward Antoni Boucher <bouanto@zoho.com> - 2025-11-02 16:30 +0100
  Re: Hard Rust requirements from May onward Julian Andres Klode <jak@debian.org> - 2025-10-31 22:50 +0100
  Re: Hard Rust requirements from May onward Paul Tagliamonte <paultag@debian.org> - 2025-11-01 15:20 +0100
    Re: Hard Rust requirements from May onward Paul Tagliamonte <paultag@debian.org> - 2025-11-01 15:20 +0100
    Re: Re: Hard Rust requirements from May onward John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> - 2025-11-02 11:30 +0100
    Re: Hard Rust requirements from May onward Bill Allombert <ballombe@debian.org> - 2025-11-02 15:40 +0100
  Re: Hard Rust requirements from May onward Joerg Jaspert <joerg@debian.org> - 2025-11-02 13:10 +0100
    Re: Hard Rust requirements from May onward Richard Lewis <richard.lewis.debian@googlemail.com> - 2025-11-02 16:20 +0100
      Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-02 18:10 +0100
    Re: Hard Rust requirements from May onward Julian Andres Klode <jak@debian.org> - 2025-11-02 17:30 +0100
      Re: Hard Rust requirements from May onward Joerg Jaspert <joerg@debian.org> - 2025-11-02 17:40 +0100
    Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-03 23:20 +0100
      Re: Hard Rust requirements from May onward Ansgar 🙀 <ansgar@debian.org> - 2025-11-04 07:30 +0100
        Re: Hard Rust requirements from May onward Mike Hommey <mh@glandium.org> - 2025-11-04 08:10 +0100
        Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 11:50 +0100
          Re: Hard Rust requirements from May onward Simon Richter <sjr@debian.org> - 2025-11-04 12:10 +0100
            Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 13:30 +0100
              Vendoring Simon Richter <sjr@debian.org> - 2025-11-04 13:50 +0100
          Re: Hard Rust requirements from May onward Holger Levsen <holger@layer-acht.org> - 2025-11-04 13:20 +0100
            Re: Hard Rust requirements from May onward Simon Richter <sjr@debian.org> - 2025-11-04 13:30 +0100
            Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 16:00 +0100
              Re: Hard Rust requirements from May onward Holger Levsen <holger@layer-acht.org> - 2025-11-04 16:50 +0100
                Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 19:40 +0100
        Re: Hard Rust requirements from May onward Stephan Verbücheln <verbuecheln@posteo.de> - 2025-11-04 15:30 +0100
          Re: Hard Rust requirements from May onward Fabian Grünbichler <debian@fabian.gruenbichler.email> - 2025-11-04 18:40 +0100
      Re: Hard Rust requirements from May onward Fabian Grünbichler <debian@fabian.gruenbichler.email> - 2025-11-04 18:30 +0100
        Re: Hard Rust requirements from May onward Sebastian Ramacher <sramacher@debian.org> - 2025-11-04 19:10 +0100
          Re: Hard Rust requirements from May onward Fabian Grünbichler <debian@fabian.gruenbichler.email> - 2025-11-04 19:40 +0100
        Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 20:10 +0100
          Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-04 21:50 +0100
          Re: Hard Rust requirements from May onward Fabian Grünbichler <debian@fabian.gruenbichler.email> - 2025-11-05 07:50 +0100
            Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-05 12:10 +0100
        Re: Hard Rust requirements from May onward Adrian Bunk <bunk@debian.org> - 2025-11-05 18:40 +0100
        Re: Hard Rust requirements from May onward Philipp Kern <pkern@debian.org> - 2025-11-06 22:10 +0100
    Re: Hard Rust requirements from May onward Sean Whitton <spwhitton@spwhitton.name> - 2025-11-05 16:00 +0100
  Re: Hard Rust requirements from May onward David Kalnischkies <david@kalnischkies.de> - 2025-11-03 13:40 +0100
    apt-ftparchive alternatives (was: Hard Rust requirements from May  onward) Jeremy Stanley <fungi@yuggoth.org> - 2025-11-03 19:00 +0100
      Re: apt-ftparchive alternatives (was: Hard Rust requirements from  May onward) nick black <dankamongmen@gmail.com> - 2025-11-03 19:50 +0100
        Re: apt-ftparchive alternatives (was: Hard Rust requirements from  May onward) Jeremy Stanley <fungi@yuggoth.org> - 2025-11-03 20:00 +0100
          Re: apt-ftparchive alternatives (was: Hard Rust requirements from  May onward) Peter Pentchev <roam@ringlet.net> - 2025-11-03 21:00 +0100
          Re: apt-ftparchive alternatives Richard Lewis <richard.lewis.debian@googlemail.com> - 2025-11-15 14:00 +0100
      Re: apt-ftparchive alternatives (was: Hard Rust requirements from  May onward) David Kalnischkies <david@kalnischkies.de> - 2025-11-05 16:10 +0100
        Re: apt-ftparchive alternatives Ahmad Khalifa <ahmad@khalifa.ws> - 2025-11-06 22:20 +0100
          Re: apt-ftparchive alternatives David Kalnischkies <david@kalnischkies.de> - 2025-11-09 17:00 +0100
            Re: apt-ftparchive alternatives Ahmad Khalifa <ahmad@khalifa.ws> - 2025-11-09 21:50 +0100
              Re: apt-ftparchive alternatives David Kalnischkies <david@kalnischkies.de> - 2025-11-10 14:00 +0100

csiph-web