[Reproducible-builds] uploading .buildinfo files… (from Debian reproducible builds…)

[Linus Nordberg]

Holger Levsen <holger at layer-acht.org> wrote
Fri, 18 Mar 2016 10:00:48 -0400:

| >     curl-tor -O https://www.ct.nordu.net/gaol.ct.nordu.net.pem>     curl-tor -O https://www.ct.nordu.net/gaol.ct.nordu.net.pem.asc>     gpg --verify gaol.ct.nordu.net.pem.asc
| 
| but this is rather incomplete or meaningless? ;-) Or I don't see the
| point as that certificate aint used anywhere?

That's correct. Let's call it preparation for future verification of
SCT's and STH's. :D  (In reality, I forgot adding info about that and
now I've decided to wait until someone asks for it.)


| > Do once per .buildinfo file:
| > 
| >     printf "{\"blob\": \"$(cat file | base64)\"}" | \
| >       curl-tor --data @- \
| >       http://mvkhztpvqcxpdbn3.onion/open/gaol/v1/add-blob
| 
| ok, seems easy enough.
| 
| So I just did:
| 
| printf "{\"test-h01ger\": \"$(cat /etc/motd | base64)\"}" | curl -A "" \
|   -x socks4a://127.0.0.1:9050/ --data @- \
|   http://mvkhztpvqcxpdbn3.onion/open/gaol/v1/add-blob
| 
| Did the log receive that? If so, it's trivial to send them all to your
| log…

Should've rejected it ("blob" is magic and required). What did curl tell
you? I bet it was 4xx rather than 200.


| > NOTE2: The format for submitted data might change, most likely adding a
| > requirement for a "sig" field with a signature over "blob"
| 
| ok, please just tell us.

Will do.


| > NOTE3: you might want to put something in "blob" that makes it easy for
| > you to select your entries from the log
| 
| I guess the filename of the .buildinfo file will do. What if I reuse the
| "blob" value?

Sorry for using sloppy language. You might want to put something
hopefully unique in the _value_ of the name/value pair with the name
"blob".