[rb-general] reproducible .debs outside of the Debian archive

Holger Levsen holger at layer-acht.org
Mon Jan 25 14:41:38 CET 2016


(full quote for the benefit of the newly cc:ed readers…)

On Samstag, 23. Januar 2016, HW42 wrote:
> Qubes has, like a bunch of other projects, an own apt repo.
> Thanks to the work of the Debian reproducible builds project it's in the
> most cases pretty easy to get the packages reproducible. But to get
> "real" reproducible builds you need to record the required parts of the
> build environment (the patched dpkg does this already by creating a
> .buildinfo file) and the user needs to be able to reproduce the
> environment (the srebuild-script is still WIP).
> But this also requires to archive all source and binary packages and the
> .buildinfo files. Debian has snapshot.debian.org for this (the
> .buildinfo support is still WIP).
> So I'm interested what you recommend for this?

nothing so far, we have no experience with doing this at all :) so thanks for 
bringing this up here!

> Running an own
> instance of the snapshot.d.o software?

I guess this is overkill but I have never tried this. Also I dont think 
snapshot.d.o already has code to archive .buildinfo files, cc:ing the mailing 
list to get feedback on this.

> Keep all versions in one repo?

I think that's what I would suggest. Currently we only have a patch for dak to 
support keeping .buildinfo files, I think a wishlist bug against reprepro is 
in order! :-) 

IOW: for a qubes repo I would probably suggest to use reprepro, not dak.

> What about the .buildinfo files?

see above :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20160125/191da993/attachment.sig>

More information about the rb-general mailing list