While thinking one more time about the current specification for
`.buildinfo` files [1], I remembered one unresolved question.

The `Build-Environment` field currently has the same syntax as
`Built-Using`: a list of packages and their exact version. This works
fine but might not be optimal.

Some people suggested that we should record a checksum of the `.deb`
installed as a way to unambiguously referring to a specific package.
The main benefit that I can think of is that it would allow to directly
retrieve the file from snapshot.debian.org based on the hash [2].

But, as far as I know, this information is currently not recorded by
dpkg and there is no way to know for sure which `.deb` has been used for
a package currently installed. I have a couple of memories where this
could have been useful outside of the aforementioned use case.

From my limited knowledge of dpkg's internals, computing checksums
and adding a new field to the status file doesn't seem hard to

What do you think? Would it such feature be a good addition to dpkg?
I'm willing to spend time writing a patch.

 [1]: https://wiki.debian.org/ReproducibleBuilds/BuildinfoSpecification
 [2]: https://anonscm.debian.org/cgit/mirror/snapshot.debian.org.git/plain/API
      URL: /file/<hash>

Lunar                                .''`. 
lu...@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 

Attachment: signature.asc
Description: Digital signature

Reproducible-builds mailing list

Reply via email to