Buildinfo in the Debian archive, updates

Jonathan McDowell noodles at
Wed Dec 7 10:38:36 UTC 2016

On Tue, Dec 06, 2016 at 06:21:09PM -0500, Daniel Kahn Gillmor wrote:
> I'd be wary about this "multiple such fields" bit.  it seems likely that
> different buildinfo files will not match each other, even if the
> *output* is reproducible.  This is because buildinfo files can capture
> some things that do not have an impact on the resultant binary
> artifacts.

I was under the impression that each set of binary artefacts from a
build would be accompanied by a single buildinfo file describing the
environment used. This would be signed by the original uploader, and
then there would be the possibility of further people attesting to that
pairing of buildinfo + binaries, rather than providing an entirely
separate set of buildinfo (+sig) information that produces the same

Is there a requirement that the archive is capable of storing multiple
buildinfo files, rather than just multiple buildinfo signatures, for a
given set of binary artefacts?


This isn't an office. It's Hell with fluorescent lighting.
This .sig brought to you by the letter J and the number 14
Product of the Republic of HuggieTag
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <>

More information about the Reproducible-builds mailing list