source-only builds and .buildinfo
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jun 21 13:35:04 UTC 2017
On Wed 2017-06-21 14:16:00 +0300, Adrian Bunk wrote:
> On Wed, Jun 21, 2017 at 09:30:14AM +0000, Holger Levsen wrote:
>> trigger warning: nitpicking.
>> On Wed, Jun 21, 2017 at 11:34:17AM +0300, Adrian Bunk wrote:
>> > > I do source-only uploads because i don't want the binaries built on my
>> > > own personal infrastructure to reach the public. But i want to upload
>> > > the .buildinfo because i want to provide a corroboration of what i
>> > > *expect* the buildds to produce.
>> > If you expect that, then your expectation is incorrect.
>> I actually think that dkg's expectation is right, "just" that reality is wrong.
>> The design of the Debian buildd network is from times when machines were much
>> less powerful than what we have today and it shows.
>> I'd rather have deterministic builds than the current unpredictable mess.
> I understand what you want, but using buildinfo is not a good idea here.
> Based on how many broken binaries get uploaded from developers,
> the environment of the person uploading the sources is not a good
> basis for determining what package versions to install when building
> on the buildds.
lest there be any misunderstanding: i am *not* suggesting that i want
the build daemons to select their packages based on what's in my
.buildinfo. Ximin's interpretation of my intent is the correct one: i
want to see whether we manage to reproduce the same output.
if the binary package outputs differ, and the installed build-deps
differ, fine. that's data that someone tracking how things are built
can use in a future analysis. if the binar package outputs do *not*
differ, and the build-deps differ, that's also interesting information.
my goal here isn't to use the build daemons as the r-b infrastructure --
we've already got the r-b infrastructure for that. :) But i'm happy to
be able to see some corroborative (or anti-corroborative) .buildinfos
published so that people who want to analyze them can do so.
PS I fully agree that the right outcome for debian overall is to not
allow binary uploads from anyone, unless they're granted special
dispensation (e.g. toolchain porters), but that's getting far afield
from this thread.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 832 bytes
Desc: not available
More information about the Reproducible-builds