[Reproducible-builds] Ideas

Jérémy Bobbio lunar at debian.org
Tue Feb 4 22:29:51 UTC 2014 

Hilko Bengen:
> >     My ideal scenario is the following:
> >
> >      1. I retrieve the .changes file for a package.
> 
> From where would you retrieve the .changes files for a given package,
> for instance bash_4.2+dfsg-0.1_amd64.changes (as one would expect for
> wheezy)?

It's been discussed several time in the history of the project to keep
.changes file on the archive. Phil Hands was supposed to discuss with
Ganeff at the end of the DebConf13 BoF. I'm not sure what happened.

> >      2. I verify the signature on the .changes.
> >      3. I give the .changes to a "rebuild" tool.
> 
> If I understand you correctly, the .changes file in your scenario would
> contain the relevant information to reproduce the build environment
> (versions of all binary packages present). Wouldn't it make more sense
> to transport this information in the .deb files themselves?

It can't be in the .deb files: they are binary packages. In order to
reproduce a build, one need the source and the original environment. In
order to ensure the result matches, one need a reference. The .changes
contain almost all that, except a list of package/version. The latter
can be added through a command line argument. It just sounds like a good
fit.

> >      4. The checksum of the .deb listed in the original .changes file
> >         and the checksum of the .deb I've just built should match.
> 
> Where is the problem in comparing checksums that have been derived in a
> different way than just taking the md5/sha1/whatever-sum over the .deb
> -- or in comparing a list of checksums instead of just one?

It's not the final product of the build. It's not what is in .changes
files and that is already signed by maintainers.

Sorry if you don't feel that it matters. Please do not attempt to
convince me otherwise, it would be a waste of time. There is still
plenty of work that can be done if you disagree this is the right way to
compare binary packages.

-- 
Lunar                                .''`. 
lunar at debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20140204/1608aafc/attachment.sig>

More information about the Reproducible-builds mailing list