Hi, Mattia, thanks a lot for this great description what you did why! Really awesome.
On Wed, Sep 21, 2016 at 01:35:27PM +0000, Mattia Rizzolo wrote: > well, why, considering a single-archive world, is Source+Version fields > in .buildinfo not enough to link the binaries to the source? well, if this reproducible builds effort is also ment to improve the security of Debian, it's very proper not only to record what the label says it should contain (src pkg + version) but also something so it's later possible to check whether "your src pkg + version" is the same "I" later build… ;) (IOW: to not only record the label but also a hash of the contents.) -- cheers, Holger
Description: Digital signature
_______________________________________________ Reproducible-builds mailing list Reproducibleemail@example.com http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds