[rb-general] Regarding "Zero Install" manifests
Holger Levsen
holger at layer-acht.org
Fri Jun 9 22:30:59 CEST 2017
Hi Anders,
sorry for this very late reply…
On Fri, Apr 28, 2017 at 07:40:24PM +0000, Anders Björklund wrote:
> Ximin Luo wrote:
> > At the moment we already *have* buildinfo files (i.e. signed
> > manifests), and the next step is to figure out what sorts of logic we
> > should add to say, `apt-get` so that users get a good sense of "how
> > reproducible" the packages that they're installing are.
>
> Oh, when I asked my question I got the impression that there was no
> standardized output format (that would contain any checksums etc)
>
> Looking at the docs, I saw only generic explanations but no formats:
> https://reproducible-builds.org/docs/checksums/
> https://reproducible-builds.org/docs/embedded-signatures/
> So that is why I gave an example of such a format that does exist ?
>
>
> Looking at https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles
> it seemed rather specific to Debian and I didn't see any contents ?
>
> The idea was for a single format that would describe the binaries.
> Wouldn't hurt if it was something like how git describes the code ?
you're right, so far we only really "have" .buildinfo files for Debian,
where "have" means having a documented format, which has a tested
implementation and has been proven to work for user to reproduce
specific builds.
Or maybe *I* only know about those Debian .buildinfo files… ;-)
And then, .buildinfo files is both a specific implementation for Debian,
as well as a general concept, which might be called differently and
*structured* differently. This is mostly because we think that different
projects will want to use those formats which are natural to them
(eg rfc822 for Debian).
Sometimes projects already have files which describe build results, and
those files already have a name… there we rather want to add missing
information to these files, so they can be used for reproducing binaries.
Does this make more sense now? I wish we had this documented more
clearer on https://reproducible-builds.org/docs/ and would love to hear
feedback from you how to achieve that! :-)
some more (rough) notes are available at
https://reproducible-builds.org/events/berlin2016/buildinfofiles/
--
cheers,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20170609/8604135e/attachment.sig>
More information about the rb-general
mailing list