Buildinfo in the Debian archive, updates

Ximin Luo infinity0 at
Wed Dec 7 11:00:00 UTC 2016

Jonathan McDowell:
> On Tue, Dec 06, 2016 at 06:21:09PM -0500, Daniel Kahn Gillmor wrote:
>> I'd be wary about this "multiple such fields" bit.  it seems likely that
>> different buildinfo files will not match each other, even if the
>> *output* is reproducible.  This is because buildinfo files can capture
>> some things that do not have an impact on the resultant binary
>> artifacts.
> I was under the impression that each set of binary artefacts from a
> build would be accompanied by a single buildinfo file describing the
> environment used. This would be signed by the original uploader, and
> then there would be the possibility of further people attesting to that
> pairing of buildinfo + binaries, rather than providing an entirely
> separate set of buildinfo (+sig) information that produces the same
> binary.
> Is there a requirement that the archive is capable of storing multiple
> buildinfo files, rather than just multiple buildinfo signatures, for a
> given set of binary artefacts?

Yes, buildinfo files are expected to be different, even for multiple builders that successfully reproduced the same binary hashes. The Binary: fields would be the same, but the other fields might be different. This is a good thing from a security perspective.

For more details on why you can read the draft here:


GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE

More information about the Reproducible-builds mailing list