Buildinfo in the Debian archive, updates
Ximin Luo
infinity0 at debian.org
Wed Dec 7 11:00:00 UTC 2016
Jonathan McDowell:
> On Tue, Dec 06, 2016 at 06:21:09PM -0500, Daniel Kahn Gillmor wrote:
>> I'd be wary about this "multiple such fields" bit. it seems likely that
>> different buildinfo files will not match each other, even if the
>> *output* is reproducible. This is because buildinfo files can capture
>> some things that do not have an impact on the resultant binary
>> artifacts.
>
> I was under the impression that each set of binary artefacts from a
> build would be accompanied by a single buildinfo file describing the
> environment used. This would be signed by the original uploader, and
> then there would be the possibility of further people attesting to that
> pairing of buildinfo + binaries, rather than providing an entirely
> separate set of buildinfo (+sig) information that produces the same
> binary.
>
> Is there a requirement that the archive is capable of storing multiple
> buildinfo files, rather than just multiple buildinfo signatures, for a
> given set of binary artefacts?
>
Yes, buildinfo files are expected to be different, even for multiple builders that successfully reproduced the same binary hashes. The Binary: fields would be the same, but the other fields might be different. This is a good thing from a security perspective.
For more details on why you can read the draft here:
https://anonscm.debian.org/cgit/reproducible/buildinfo-spec.git/tree/notes/buildinfo.rst
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the Reproducible-builds
mailing list