Buildinfo in the Debian archive, updates

Daniel Kahn Gillmor dkg at
Tue Dec 6 23:21:09 UTC 2016

On Tue 2016-12-06 17:41:34 -0500, Jonathan McDowell wrote:
> The storage of the hashes of the signed buildinfo files in Packages.gz
> seems to be in order to deal with the fact that the signature is not
> available elsewhere. If dkg's suggestion of using ECC signatures is
> followed then some quick checking shows a signature size of 165 bytes
> (when ASCII armoured). This seems sufficiently small to me that you
> could just map it into a Signature: field at the end of the buildinfo
> stanza within buildinfo.xz, with the bonus that at some point that would
> allow for multiple such fields, all within the archive mirror network.

I'd be wary about this "multiple such fields" bit.  it seems likely that
different buildinfo files will not match each other, even if the
*output* is reproducible.  This is because buildinfo files can capture
some things that do not have an impact on the resultant binary

Otherwise, though, i agree with Jonathan that stuffing a small signature
into the buildinfo file itself seems OK.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <>

More information about the Reproducible-builds mailing list