[Reproducible-builds] reproducible .buildinfo inclusion in the archive and output by dpkg
Ansgar Burchardt
ansgar at debian.org
Sat Aug 29 19:12:25 UTC 2015
Holger Levsen <holger at layer-acht.org> writes:
> together with Lunar we four sad together on the last Saturday of DebConf15 in
> Heidelberg and discussed the next steps forward to achieve the inclusion of
> .buildinfo inclusion in the Debian archive and output by dpkg.
>
> On the ftpmaster side we agreed that:
>
> - dak/queued has to be changed to accept .buildinfo files
> - will be stored on ftp-master, concatted and compressed it will be exposed to
> the mirrors
> - one per arch + suite, aka for each Packages file
How large are these? I'm sure the snapshot.d.o maintainers would prefer
something that does not change with each mirror push, or is not part of
the dists/ tree pushed to mirrors.
> - Packages file gets a certfied-by field:
> Build-Signed-Off-By: 0603CCFD91865C17E88D4C798382C95C29023DF9 Jérémy
> Bobbio <lunar at debian.org> which should include the checksum of the .buildinfo
> file (or maybe not, see above)
I think having an external service for these is better: otherwise we
have to deal with who can add signatures, and probably would limit it to
people in Debian's keyring (I don't want ftp-master to deal with
external parties). A seperate service could accept signatures from
everybody, including parties not directly involved in Debian or
automated systems.
Also adding even more data to the Packages indicies is something I would
like to avoid: the files are already quite large.
Ansgar
More information about the Reproducible-builds
mailing list