Mattia, thanks a lot for this great description what you did why!
Really awesome.

On Wed, Sep 21, 2016 at 01:35:27PM +0000, Mattia Rizzolo wrote:
> well, why, considering a single-archive world, is Source+Version fields
> in .buildinfo not enough to link the binaries to the source?

well, if this reproducible builds effort is also ment to improve the
security of Debian, it's very proper not only to record what the label
says it should contain (src pkg + version) but also something so it's
later possible to check whether "your src pkg + version" is the same
"I" later build… ;) (IOW: to not only record the label but also a hash
of the contents.)


Attachment: signature.asc
Description: Digital signature

Reproducible-builds mailing list

Reply via email to