Buildinfo in the Debian archive, updates

Jonathan McDowell noodles at
Tue Dec 6 22:41:34 UTC 2016

On Tue, Dec 06, 2016 at 09:24:20PM +0000, Holger Levsen wrote:
> On Mon, Nov 14, 2016 at 02:57:00PM +0000, Ximin Luo wrote:
> > This email is a summary of some discussions that happened after the
> > last post to bug #763822, plus some more of my own thoughts and
> > reasoning on the topic.
> I think that given our last mail on this bug was >4 weeks ago, it's
> mostly important we reply to the bug at all now…
> > I think having the Debian FTP archive distribute unsigned buildinfo
> > files is an OK intermediate solution, with a few tweaks:
> > 
> > 1. the hashes of the *signed* buildinfo files must be referred-to
> > for each binary package, in Packages.gz
> I actually think thats too much to ask for right now. we should
> *propose* this now as a 2nd step, but right now the first step should
> be that those .buildinfo files are stored *at all*, for later
> consumption.

The storage of the hashes of the signed buildinfo files in Packages.gz
seems to be in order to deal with the fact that the signature is not
available elsewhere. If dkg's suggestion of using ECC signatures is
followed then some quick checking shows a signature size of 165 bytes
(when ASCII armoured). This seems sufficiently small to me that you
could just map it into a Signature: field at the end of the buildinfo
stanza within buildinfo.xz, with the bonus that at some point that would
allow for multiple such fields, all within the archive mirror network.
The max permitted size of such a field could be something configurable
by ftp-master, so if that they wanted to allow full RSA based signatures
they could set it to ~800 bytes, or limit it to ECC at < 200 bytes.

> Thinking again, I think we should not outline stuff for the 2nd step
> right now, just the very 1st, which is saving the files at all,
> somewhere on the local disk (of ftp-master.d.o).

Saving them into the projectb is probably the way to go. I started
looking at the dak code to do this back at DebConf, then stopped when it
looked like I was going down a different path to what was desired. I had
hoped to try and pick this up again before the meeting next week but
haven't found a sufficient block of time yet.


OK, if we can't have a tour, can we at least have a look around?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <>

More information about the Reproducible-builds mailing list