source-only builds and .buildinfo

Daniel Kahn Gillmor dkg at
Wed Jun 21 16:56:23 UTC 2017

On Wed 2017-06-21 15:42:07 +0100, Ian Jackson wrote:
> This is a very useful concept but I suggest you give it a new name.
> "binaries-attested upload" perhaps ?

I like the idea that we should name this thing, but i'd call it
something like a "source-only upload with .buildinfo" or
"source+buildinfo upload" instead.

> To me "source-only upload" means that there were no binaries built,
> and therefore no information about binaries included in the upload.

i tend to think "source-only" in this phrase applies to "upload",
meaning that the upload doesn't include binaries, and what i'm uploading
doesn't include binaries.  i acknowledge that it also includes some
stuff that isn't actually sources, but this is true of normal
"source-only" uploads too -- for example, such uploads include
cryptographic signatures and selected elements of the changelogs, which
are also not sources.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <>

More information about the Reproducible-builds mailing list