Buildinfo in the Debian archive, updates
holger at layer-acht.org
Wed Dec 7 16:20:53 UTC 2016
On Tue, Dec 06, 2016 at 10:41:34PM +0000, Jonathan McDowell wrote:
> The storage of the hashes of the signed buildinfo files in Packages.gz
> seems to be in order to deal with the fact that the signature is not
> available elsewhere. If dkg's suggestion of using ECC signatures is
> followed then some quick checking shows a signature size of 165 bytes
> (when ASCII armoured). This seems sufficiently small to me that you
> could just map it into a Signature: field at the end of the buildinfo
> stanza within buildinfo.xz, with the bonus that at some point that would
> allow for multiple such fields, all within the archive mirror network.
while I agree this is where we should probably be going, I dont think we
should be going there now, as it requires changes to dpkg and dak.
IMO the next step should just involve changes to dak, to just save those
buildinfo files (as they are now) on disk. so that we have them in
_then_, the next step could be like described above or whatever.
On Wed, Dec 07, 2016 at 07:14:29AM +0200, Vagrant Cascadian wrote:
> Overall, I'm in favor of whatever incremental progress moves in the
> right general direction, even if not the "perfect" direction. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 811 bytes
Desc: Digital signature
More information about the Reproducible-builds