Moving towards a deb-buildinfo(5) Format 1.0

Holger Levsen holger at layer-acht.org
Mon Nov 14 14:01:34 UTC 2016


On Mon, Nov 14, 2016 at 05:44:22AM +0900, Daniel Kahn Gillmor wrote:
> >> Multiple builds of the same source package will set SOURCE_DATE_EPOCH to
> >> the same value but will result in a different Build-Date.
> It is definitely not what most of us initially expected, but it is
> actually what we want.
[...] 
> In short, we *want* buildinfos to vary, while we want the generated
> binary artifacts to be reproducible.

well. our reasoning a year ago for identical buildinfo files (for
different builds of the same package) was the idea, that multiple people
could sign these buildinfo files to confirm they could reproduce these
builds.

having different buildinfo files to confirm identical builds makes
confirming a bit harder.

OTOH this will safe us from dealing with detached signatures as all
buildinfo files can just be signed inline.


-- 
cheers,
	Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20161114/b9f6002d/attachment.sig>


More information about the Reproducible-builds mailing list