[Reproducible-builds] Bug#802241: please store the hash of the installed .deb and allow to query it

Mattia Rizzolo mattia at mapreri.org
Sun Oct 18 18:20:01 UTC 2015


Package: dpkg
Version: 1.18.3
Severity: wishlist
X-Debbugs-CC: reproducible-builds at lists.alioth.debian.org

Hi dpkg people,

in the context of allowing to recreate the same build-environment of a
past build we would need to know which packages where installed.
Currently we rely on (pkgname, arch, version) tuples to uniquely
identify a binary package, but as you can easily imagine this is not
unique at all, definitly not in the multi distro universe, possibly not
even across suites.
This can also help quite some higher level package manager to identify
which archive is providing the installed package, as David Kalnischkies
pointed out in https://lists.debian.org/20150624164233.GA25413@crossbow

I would think to just add a field in /var/lib/dpkg/status but YMMV and
I'm happy with everything.

As a side effect this allows enables anyone easily whether a package
came from the Debian archive or from somewhere else.


This matter was already briefly discussed in ML, and ended up with some
open questions in https://lists.debian.org/20150623073105.GE5719@loar so
let's file this bug to way easily track it.

To me it seems that:
* we are mostly interested in the hash of the whole container: all the
  use cases highlighted above would require this;
* If ↑ then the hash can't be pre-computed and stored inside the
  container.


Thanks in advance for everything!

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  http://mapreri.org                              : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20151018/fb507ea3/attachment.sig>


More information about the Reproducible-builds mailing list