Buildinfo in the Debian archive, updates
Ximin Luo
infinity0 at debian.org
Mon Nov 14 17:13:00 UTC 2016
Ximin Luo:
> [..]
>
> Now then, why does the FTP archive need to distribute buildinfo files at all?
> It can simply store the signed files and distribute the hashes. Then rebuilders
> (people that want to verify our reproducibility claims) can download the hashes
> from the archive, get the corresponding buildinfo files from another server,
> and perform the build. The files could even be unsigned, this does not matter
> for rebuilding purposes.
>
> This is a slightly awkward workflow however and it would be simpler / more
> reliable to only have to contact one host. Furthermore, most rebuilders would
> probably only try to build for one architecture, hence it is again a nicer
> workflow to only download the required buildinfos for your own architecture.
>
> We also ran some numbers and a Buildinfos-amd64.xz (with unsigned buildinfo
> files) turned out to be about 9MB which I think is reasonable to expect people
> to download periodically, whereas a Buildinfos.xz across all arches would
> probably be more like 50MB or more (we don't have the machines to properly
> calculate this) and is less convenient both for rebuilders and for the archive
> mirror network.
>
> With signatures, the number is much much greater and not really suitable for
> continual distribution, which is why these have to be unsigned.
>
Thanks HW42 for prompting a second look at this.
A GPG signature with a 4096-bit key is about 800 bytes in base 64:
http://ftp.debian.org/debian/dists/sid/ (has 2 signatures, if you use `gpg --list-packets`)
http://ppa.launchpad.net/infinity0/rust-nightly/ubuntu/dists/yakkety/
so it would be about 600 bytes compressed. Across 24000 source packages, this would be
600 * 24000 ~= 13.7MB
per architecture (including for arch:all). This doesn't seem too bad actually.
In total, this would be (9+13)*2 (one arch:all, one arch:$native) ~= 50MB download, which considering the advantage of not having to contact a 3rd party, I think is just about worth it, even if you only want to rebuild a few packages.
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the Reproducible-builds
mailing list