Evaluation of bundling .buildinfo in .deb proposal

Chris Lamb lamby at debian.org
Mon Aug 31 13:02:03 BST 2020 

[adding rb-general to CC]

Hi Guillem,

> Holger proposed to bundle the .buildinfo files into .deb archives
> during the DebConf talk. I've mentioned to Holger that I'm not seeing
> this as being feasible and mentioned various reasons why, but I'm also
> still open to explore this possibility. So I've added these in a wiki
> page:
>
>   <https://wiki.debian.org/Teams/Dpkg/Spec/BundledBuildinfo>

The majority Debian's documentation is either littered around the
internet, in obscure mailing list posts, in IRC backlogs or simply in
people's minds. This kind of document pushes back against this
organisational antipattern, so thank you.

With regards to your question, I do not believe you are missing
anything here, except perhaps to clarify exactly which .debs you would
put the .buildinfo into. I assume you mean all of the binary .debs
(noting your later caveat regarding .udebs), but it might be worth
being specific for clarity.

In terms of my own opinion, you remark that:

    this would make a simple file comparison [..] require some
    kind of tool

This does indeed go against one of the stated original design
principles as well as the unstated æsthetic ones that I hold
personally. I have also empirically observed that the platforms that
adopt a "oh, you just need this small tool" approach do not appear to
gain as much traction too.

Now, I cannot back this up scientifically, but I don't believe this is
purely for technical reasons but also cognitive ones. As in, there is
something deeply psychologically reassuring and satisfying to humans
when a reproducible artefact can be seen to be identical using just
our "eyes" and without any tools whatsoever. I might completely trust
some tool technically and even trust it from a security perspective (!)
yet it somehow does not feel nearly as "secure", right or intuitive.

(As an obiter dictum, are we sure it was Holger who was proposing this
idea in the talk, rather than mentioning it? I think he has previously
echoed my view on the "no special tools" principle, hence this minor
remark. Am willing to be corrected either way.)


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org 🍥 chris-lamb.co.uk
       `-

More information about the Reproducible-builds mailing list