Elmar Stellnberger wrote:
> Am 22.09.14 um 01:52 schrieb Paul Wise:
>> On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote:
>>>     A package with some new signatures added is no more the old package.
>> That is exactly what we do *not* want for reproducible builds.
>>> It should have a different checksum and be made available again for update.
>> The Debian archive does not allow files to change their checksum, so
>> every signature addition requires a new version number. That sounds
>> like a bad idea to me.
> Yes, that is something we definitely do not want.
> Nonetheless it would still be an issue to have the package and the signatures
> in one file because we usually need them together. My only idea to realize 
> this
> in spite of the said objection would be another proposal:
> Put the .deb and the signatures into one .ar called .sdeb and make tools like
> dpkg work on .sdebs or on .deb + signatures respecively. Whenever someone
> offers some packages for download that will be in the form of .sdebs while
> official debian repositories may separate both kinds of files. User interfaces
> like http://debtags.debian.net/search/ could then generate .sdebs on the fly
> to satisfy petted users.

I think we're starting to nail down the moving parts here, so I want to
outline that so we can find out the parts where we agree and where we disagree.

* I hope we can all agree that the package itself should not change once it
has hit the official repos.

* I believe we can achieve what we want without taking a shortcut and
introducing a new core package type (.sdeb .debs or whatever).  We can figure
out how to do this with the .deb file.  Personally, I would accept a new
package type after a thorough exploration of keeping .deb fails to deliver,
but not before.

* There should be at least one verification build before a package becomes

* Then there needs to be a channel for people to submit the results of their
own builds.  That could be only positive results or only negative results, or

* the .buildinfo file should contain all info needed to reproduce the build,
given a standard Debian build environment

Anything I left out?


PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

Reproducible-builds mailing list

Reply via email to