deprecation of buildinfo.debian.net (NOT buildinfos.debian.net)
Chris Lamb
lamby at debian.org
Tue Jun 3 19:00:40 BST 2025
Holger Levsen wrote:
> On Tue, Jun 03, 2025 at 07:45:14AM -0700, Chris Lamb wrote:
>> To clarify the question: why we should sign .buildinfo files in
>> general, or why we signed the ones coming from the tests.r-b.o
>> specifically?
>
> the latter.
Part of the circular reasoning is because buildinfo.debian.net only
accepted signed .buildinfo files.
But in practice I found it nice to have the transparency of: "where
did this build come from? Ah, it definitely came from
tests.reproducible-builds.org." I therefore had good evidence
regarding how much I could trust what that .buildinfo file. ie. not
that much.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org 🍥 chris-lamb.co.uk
`-
More information about the Reproducible-builds
mailing list