[Reproducible-builds] reproducible .buildinfo inclusion in the archive and output by dpkg

Holger Levsen holger at layer-acht.org
Sat Aug 29 17:05:21 UTC 2015

Hi Guillem, hi Jörg,

together with Lunar we four sad together on the last Saturday of DebConf15 in 
Heidelberg and discussed the next steps forward to achieve the inclusion of 
.buildinfo inclusion in the Debian archive and output by dpkg.

On the ftpmaster side we agreed that:

- dak/queued has to be changed to accept .buildinfo files
- will be stored on ftp-master, concatted and compressed it will be exposed to 
the mirrors
 - one per arch + suite, aka for each Packages file
 - new idea after meeting: Buildinfo.tar.xz for easier handling? (makes build-
signed-off-by maybe not need a checksum)
- individual .buildinfo files are kept on ftp-master.debian.org (and 
metadata.ftp-master.debian.org too)

ftpmasters, is there anything we can help you with, to get this implemented 
rather quickly?

On the dpkg side we agreed that:

- once the above is done, dpkg in sid can be changed to produce .buildinfo 
files as in our current patch
- except the format-version should be 1.0
- there should be published .buildinfo spec which will make it clear that this 
is experimental and might change (Guillem, shall that spec be part of the dpkg 
source and thus be part of our patch?
- sha256sum should be added to build environment _later_
- Packages file gets a certfied-by field:
        Build-Signed-Off-By:  0603CCFD91865C17E88D4C798382C95C29023DF9 Jérémy 
Bobbio <lunar at debian.org> which should include the checksum of the .buildinfo 
file (or maybe not, see above)
- if vendor=debian the .buildinfo file will include the build path if it 
starts with /tmp/buildd or /buildd (this patch needs to be written)

Guillem, when you said we should close the old bug and create a new one with 
the new patch, did you mean #138409? (Which is titled "[PROPOSAL] Add build 
environment data to <package>.changes files")

I hope this is a correct summary, if not, please correct me. If you have any 
questions or comment, please by all means go ahead!

Thanks & cheers,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150829/d5f40fbc/attachment.sig>

More information about the Reproducible-builds mailing list