Use of .buildinfo in buster
Adrian Bunk
bunk at debian.org
Mon Jul 24 21:56:05 UTC 2017
On Mon, Jul 24, 2017 at 09:46:27PM +0100, Chris Lamb wrote:
>...
> Related to this is how we show/expose reproducibility to end users, if it
> all. Some discussion of sorts is happening on #863622 (src:apt).
>...
How is this supposed to work for DSAs?
Do you want to claim a security update is reproducible without checking,
or do you want to delay DSAs until the packages have been reproduced
for all architectures?
Why should this be a per-package user-visible issue instead of aiming
at giving guarantess for all packages in main?
There is also a certain amount of WTF:
This would make a relatively hard to exploit issue appear more
worrisome to a user than installing a browser engine with zero
security support and more than 100 unfixed CVEs.
> Regards,
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
More information about the Reproducible-builds
mailing list