Use of .buildinfo in buster

Adrian Bunk bunk at debian.org
Mon Jul 24 20:30:53 UTC 2017 

On Sun, Jul 23, 2017 at 01:54:32PM +0200, Mattia Rizzolo wrote:
>...
> Buildinfo files
> ===============
> 
> We have been playing with .buildinfo files [9] for more than two years,
> and dpkg finally started producing them with version 1.18.11 (Nov 2016).
> 
> Some weeks later dak started to store those files, and they are
> accessible to all DDs in
> mirror.ftp-master.debian.org:/srv/ftp-master.debian.org/buildinfo.
> There are 214791 unique .buildifo files at the time of writing.
> 
> Our dreams for those files do not end there, however; we want those
> files be published and much more.  You can see in [10] more details
> on these files as we thought of them, and the current format as
> implemented by dpkg is available in deb-buildinfo(5) [11].
> 
> We are currently blocked awaiting feedback from ftp-masters on this (see
> #763822 [12]).  Please consider helping out if you can!
> 
> We also have a proof of concept website reachable at
> https://buildinfo.debian.net that is aiming to collect .buildinfo files
> coming from everywhere; currently only our CI is systematically pushing
> .buildinfo files there, but there is another open bug for ftp-master to
> push the .buildinfo of officially built packages there as well (see
> #862073 [13]).  Also note that the service is open to anyone without
> authentication (by design), so everybody could push their own .buildinfo
> file with a simple HTTP POST.
>...

What and how is expected to work based on .buildinfo files in buster?

Usecases based on .buildinfo files uploaded by random people are more
on the fringe side, a more relevant topic is how users can get the 
.buildinfo files from the binaries they are using (or plan to use).

What tool(s) in buster will allow users to download the .buildinfo files 
matching the packages they are using and what is the canonical location 
where such tools will download them from (Debian mirrors or
buildinfo.debian.net)?

If wide adoption of .buildinfo is desired, will providing and 
downloading .buildinfo also seamlessly work for local repositories
in cases where the .buildinfo must not leak to a public place?

Is the sig-repos infrastructure expected to be available for buster,
and how would that interact for example with security updates installed
through unattended-upgrades?

Likely none of the above has an answer right now, and that is OK.
My point is that these are topics that have to be started soon
if it shouldn't be too late for buster.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

More information about the Reproducible-builds mailing list