Buildinfo in the Debian archive, updates

Holger Levsen holger at
Wed Dec 7 16:20:53 UTC 2016


On Tue, Dec 06, 2016 at 10:41:34PM +0000, Jonathan McDowell wrote:
> The storage of the hashes of the signed buildinfo files in Packages.gz
> seems to be in order to deal with the fact that the signature is not
> available elsewhere. If dkg's suggestion of using ECC signatures is
> followed then some quick checking shows a signature size of 165 bytes
> (when ASCII armoured). This seems sufficiently small to me that you
> could just map it into a Signature: field at the end of the buildinfo
> stanza within buildinfo.xz, with the bonus that at some point that would
> allow for multiple such fields, all within the archive mirror network.

while I agree this is where we should probably be going, I dont think we
should be going there now, as it requires changes to dpkg and dak.

IMO the next step should just involve changes to dak, to just save those
buildinfo files (as they are now) on disk. so that we have them in

_then_, the next step could be like described above or whatever.

On Wed, Dec 07, 2016 at 07:14:29AM +0200, Vagrant Cascadian wrote:
> Overall, I'm in favor of whatever incremental progress moves in the
> right general direction, even if not the "perfect" direction. :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <>

More information about the Reproducible-builds mailing list