Hi Linus,

(added the Debian reproducible builds lists to cc:)

On Fri, Mar 18, 2016 at 11:36:56AM +0100, Linus Nordberg wrote:
> Do once (per host you're going to submit from):
>     alias curl-tor='curl -A "" -x socks4a://'

that has an result I understand…

>     curl-tor -O https://www.ct.nordu.net/gaol.ct.nordu.net.pem
>     curl-tor -O https://www.ct.nordu.net/gaol.ct.nordu.net.pem.asc
>     gpg --verify gaol.ct.nordu.net.pem.asc

but this is rather incomplete or meaningless? ;-) Or I don't see the
point as that certificate aint used anywhere?

> Do once per .buildinfo file:
>     printf "{\"blob\": \"$(cat file | base64)\"}" | \
>       curl-tor --data @- \
>       http://mvkhztpvqcxpdbn3.onion/open/gaol/v1/add-blob

ok, seems easy enough.

So I just did:

printf "{\"test-h01ger\": \"$(cat /etc/motd | base64)\"}" | curl -A "" \
  -x socks4a:// --data @- \

Did the log receive that? If so, it's trivial to send them all to your

> NOTE0: If the size of your submissions (after base64 encoding) exceeds
> ~2MB they will fail.

ok, that's fine. currently the biggest .buildinfo file we have
(gcc-5-cross-ports_7_amd64.buildinfo) is 120K which transforms into 162k
base64 encoded.
> NOTE1: All data may disappear at any time (but i'll try hard to avoid
> that).

ok, noted.
> NOTE2: The format for submitted data might change, most likely adding a
> requirement for a "sig" field with a signature over "blob"

ok, please just tell us.

> NOTE3: you might want to put something in "blob" that makes it easy for
> you to select your entries from the log

I guess the filename of the .buildinfo file will do. What if I reuse the
"blob" value?


Attachment: signature.asc
Description: Digital signature

Reproducible-builds mailing list

Reply via email to