distributing .buildinfo files (Re: Bad interaction between pbuilder/debhelper/dpkg-buildinfo/dpkg-genchanges and dak on security-master)
Holger Levsen
holger at layer-acht.org
Sun Sep 3 11:43:50 UTC 2017
On Sun, Sep 03, 2017 at 11:40:53AM +0200, Philipp Kern wrote:
> Git is an interesting thought for incremental mirroring. But then it also
> seems to be a poor choice for something that is an only growing repository
> of data.
the nice thing with git is that you get a signed tree for free (or rather, very
easily with tools almost everybody understands), even though it atm only uses
sha1 hashes. IOW: it's a very simple blockchain, which has better properties
than a simple file based mirror.
> What I think should be a requirement is that the data is pushed out before
> the mirror pulse. Otherwise you end up with a race where you try to mirror
> the data including the buildinfo but can't access it. (It's a little
> unfortunate that we don't simply put them onto the mirrors.
agreed.
--
cheers,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20170903/8589811b/attachment.sig>
More information about the Reproducible-builds
mailing list