[Reproducible-builds] Bug#763822: ftp.debian.org: please include .buildinfo file in the archive

Thu Oct 2 21:39:10 UTC 2014

Package: ftp.debian.org
Severity: wishlist
User: ftp.debian.org at packages.debian.org
Usertags: archive

Hi!

As part of the “reproducible builds” effort [1], we came up with the
idea of a new control file, currently named “.buildinfo”

.buildinfo files would capture from the build environment as much
information as needed to reproduce the build. The file format and how it
could be included in the archive is described on the wiki [2].

An exercise in summarizing the key points:

 * A .buildinfo file is generated for each build, and is
   considered unique for a source package, version, and architecture.
   A rebuild should always generate the same .buildinfo as
   the original build.
 * A .buildinfo contains many fields similar to .changes, and the list
   of all packages forming the build environment (build-deps, their
   deps, Essential:yes, build-essential, etc.)
 * .buildinfo would be distributed in the archive together with source
   and binary packages.
 * They would be accompanied by detached GnuPG signatures, so multiple
   parties (e.g. DD and buildd) could assert the production of similar
   binary packages from the same source and same environment.
 * The latter information can then be shown in the Packages index
   for each binary packages.
 * A tool will allow independent parties to rebuild binary packages
   from .buildinfo files in the archive.

We wish .buildinfo files could become part of the Debian archive. For
that to happen, we highly welcome your comments on the current
specification, and advices regarding the next steps we could make.

During our experiments, adding .buildinfo files to .changes had one
unforeseen consequence. Packages that used to be “Architecture: all” are
now “Architecture: all amd64” as .buildinfo are tied to a given build
architecture. Except that it breaks lintian test suite, it is unclear if
that's a problem at all, or if some changes should be made. Again, your
input would be most welcome.

 [1]: https://wiki.debian.org/ReproducibleBuilds
 [2]: https://wiki.debian.org/ReproducibleBuilds/BuildinfoSpecification

-- 
Lunar                                .''`. 
lunar at debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20141002/21d93df9/attachment.sig>