package uploaded to our repo

Holger Levsen holger at
Wed Sep 21 23:04:51 UTC 2016


Mattia, thanks a lot for this great description what you did why!
Really awesome.

On Wed, Sep 21, 2016 at 01:35:27PM +0000, Mattia Rizzolo wrote:
> well, why, considering a single-archive world, is Source+Version fields
> in .buildinfo not enough to link the binaries to the source?

well, if this reproducible builds effort is also ment to improve the
security of Debian, it's very proper not only to record what the label
says it should contain (src pkg + version) but also something so it's
later possible to check whether "your src pkg + version" is the same
"I" later build… ;) (IOW: to not only record the label but also a hash
of the contents.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <>

More information about the Reproducible-builds mailing list