[Reproducible-builds] reproducible .buildinfo inclusion in the archive and output by dpkg
Holger Levsen
holger at layer-acht.org
Sat Aug 29 17:05:21 UTC 2015
Hi Guillem, hi Jörg,
together with Lunar we four sad together on the last Saturday of DebConf15 in
Heidelberg and discussed the next steps forward to achieve the inclusion of
.buildinfo inclusion in the Debian archive and output by dpkg.
On the ftpmaster side we agreed that:
- dak/queued has to be changed to accept .buildinfo files
- will be stored on ftp-master, concatted and compressed it will be exposed to
the mirrors
- one per arch + suite, aka for each Packages file
- new idea after meeting: Buildinfo.tar.xz for easier handling? (makes build-
signed-off-by maybe not need a checksum)
- individual .buildinfo files are kept on ftp-master.debian.org (and
metadata.ftp-master.debian.org too)
ftpmasters, is there anything we can help you with, to get this implemented
rather quickly?
On the dpkg side we agreed that:
- once the above is done, dpkg in sid can be changed to produce .buildinfo
files as in our current patch
- except the format-version should be 1.0
- there should be published .buildinfo spec which will make it clear that this
is experimental and might change (Guillem, shall that spec be part of the dpkg
source and thus be part of our patch?
- sha256sum should be added to build environment _later_
- Packages file gets a certfied-by field:
Build-Signed-Off-By: 0603CCFD91865C17E88D4C798382C95C29023DF9 Jérémy
Bobbio <lunar at debian.org> which should include the checksum of the .buildinfo
file (or maybe not, see above)
- if vendor=debian the .buildinfo file will include the build path if it
starts with /tmp/buildd or /buildd (this patch needs to be written)
Guillem, when you said we should close the old bug and create a new one with
the new patch, did you mean #138409? (Which is titled "[PROPOSAL] Add build
environment data to <package>.changes files")
I hope this is a correct summary, if not, please correct me. If you have any
questions or comment, please by all means go ahead!
Thanks & cheers,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150829/d5f40fbc/attachment.sig>
More information about the Reproducible-builds
mailing list