Ximin Luo: > [..] > > Now then, why does the FTP archive need to distribute buildinfo files at all? > It can simply store the signed files and distribute the hashes. Then > rebuilders > (people that want to verify our reproducibility claims) can download the > hashes > from the archive, get the corresponding buildinfo files from another server, > and perform the build. The files could even be unsigned, this does not matter > for rebuilding purposes. > > This is a slightly awkward workflow however and it would be simpler / more > reliable to only have to contact one host. Furthermore, most rebuilders would > probably only try to build for one architecture, hence it is again a nicer > workflow to only download the required buildinfos for your own architecture. > > We also ran some numbers and a Buildinfos-amd64.xz (with unsigned buildinfo > files) turned out to be about 9MB which I think is reasonable to expect people > to download periodically, whereas a Buildinfos.xz across all arches would > probably be more like 50MB or more (we don't have the machines to properly > calculate this) and is less convenient both for rebuilders and for the archive > mirror network. > > With signatures, the number is much much greater and not really suitable for > continual distribution, which is why these have to be unsigned. >
Thanks HW42 for prompting a second look at this. A GPG signature with a 4096-bit key is about 800 bytes in base 64: http://ftp.debian.org/debian/dists/sid/ (has 2 signatures, if you use `gpg --list-packets`) http://ppa.launchpad.net/infinity0/rust-nightly/ubuntu/dists/yakkety/ so it would be about 600 bytes compressed. Across 24000 source packages, this would be 600 * 24000 ~= 13.7MB per architecture (including for arch:all). This doesn't seem too bad actually. In total, this would be (9+13)*2 (one arch:all, one arch:$native) ~= 50MB download, which considering the advantage of not having to contact a 3rd party, I think is just about worth it, even if you only want to rebuild a few packages. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git _______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds