On 2016-07-25, Jonathan McDowell wrote:
> I propose instead a Buildinfo.xz (or gz or whatever) file, which is
> single text file with containing all of the buildinfo information that
> corresponds to the Packages list. What is lost by this approach are the
> OpenPGP signatures that .buildinfo files can have on them. I appreciate
> this is an important part of the reproducible builds aim, but I believe
> one of its strengths is the ability for multiple separate package builds
> to attest that they have used that buildinfo information to build the
> exact same set of binary artefacts. This is not something that easily
> scales on the archive network and I think it is better served by a
> separate service; it would be possible to take the package snippet from
> the buildinfo file and sign that alone, uploading the signature to the
> attestation service. For "normal" Debian operation the usual archive
> signatures would provide a basic level of attestation of chain of build
> information.
> The rest of this mail continues on the above assumptions. If you do not
> agree with the above the below is probably null and void, so ignore it
> and instead educate me about what the requirements are and I'll try and
> adjust my ideas based on that.
> So. If a single Buildinfo.xz file is acceptable, with the attestation
> being elsewhere, I think this is doable without too much hackery in dak.
> There are some trade-offs to make though, and I need to check which are
> acceptable and which are viewed as too much.

I just wanted to give a huge thanks for taking a good look at this, even
if it isn't exactly what has been specced out by earlier
reproducible-builds discussions. Evaluating a somewhat different
approach, especially if it turns out to be more feasible (at least from
some angles), is really valuable in my eyes.

FWIW, I wasnt involved in the discussions spelling out what the
reproducible builds projects wanted in the archive, so I don't have much
concrete to say, but you've clearly given some serious thought and
effort to this, so I didn't want it to slip through the cracks!

I tried to read through some of the documentation I could find:


Having reviewed the above, there doesn't seem to be a huge conflict that
you haven't at least considered already.

Hopefully, someone with more history and context with the .buildinfo
file discussions can chime in soonish...

live well,

Attachment: signature.asc
Description: PGP signature

Reproducible-builds mailing list

Reply via email to