On 11/21/2015 04:17 PM, Marcin Kulisz wrote: > On 2015-11-15 18:50:45, Wouter Verhelst wrote: >> On Thu, Nov 12, 2015 at 09:04:29PM +0100, Thomas Goirand wrote: >>> On 11/12/2015 04:52 PM, kuLa wrote: >>>> On 2015-11-12 15:58:03, Thomas Goirand wrote: >>>>> As per the discussions during debconf, to be called "official", the >>>>> images have to be built: >>>>> - directly from an unmodified stable >>>>> - with reproducibility on any Debian computer (ie: no need for any >>>>> external infrastructure access) >>>> >>>> I don't think we reached any consensus in relation to the last point but >>>> I'm >>>> not going to argue about it right now. >>> >>> There's IMO no consensus to have, unless we change the root of Debian >>> (ie: the DFSG, and the fact that we do free software, and can build it >>> in Debian). The need for an external infrastructure would make the >>> images non-free. SaaS on a proprietary platform is as non-free as one >>> can get. I don't anyone would say otherwise, would you? >> >> Personally, I disagree with the statement that "the need for external >> infrastructure would make the images non-free". > > +1 > Is software we're rebuilding to include in Debian less free because we're not > using upstream provided binaries? No it's not, so as long as images can be > build wherever you want and code with tools to do so is dfsg and available it > is a free software and through this extension images.
I think we agree here. The point is, we should be able to build the image on *any Debian machine*, but only *if we want to*. Building it on the cloud provider is often convenient, and I have no problem with that. > I'm not sure if it's possible to upload image and to build one to make them > bit > for bit identical for reasons like ex. timestamps on files, etc. I'm sure it's not. Until the reproducible build team has a deep look into debootstrap (and I know they are planning to do so at some point...), it wont be possible. On 11/23/2015 02:04 AM, Charles Plessy wrote: > * When releasing an image, a list of all the packages installed and > a list of checksums of all the files must be provided. That's a nice idea, but not very useful. I very much prefer what Steve has produce: a tarball with all source packages [1], which makes it a way more DFSG style. Each individual md5sum of each files in anyway stored in /var/lib/dpkg/info/*.md5sums within the image. Your thoughts? Cheers, Thomas Goirand (zigo) [1] http://cdimage.debian.org/cdimage/openstack/8.2.0/debian-8.2.0-openstack-source.tar.gz