[rb-general] reproducible .debs outside of the Debian archive
Holger Levsen
holger at layer-acht.org
Mon Jan 25 14:41:38 CET 2016
Hi,
(full quote for the benefit of the newly cc:ed readers…)
On Samstag, 23. Januar 2016, HW42 wrote:
> Qubes has, like a bunch of other projects, an own apt repo.
>
> Thanks to the work of the Debian reproducible builds project it's in the
> most cases pretty easy to get the packages reproducible. But to get
> "real" reproducible builds you need to record the required parts of the
> build environment (the patched dpkg does this already by creating a
> .buildinfo file) and the user needs to be able to reproduce the
> environment (the srebuild-script is still WIP).
>
> But this also requires to archive all source and binary packages and the
> .buildinfo files. Debian has snapshot.debian.org for this (the
> .buildinfo support is still WIP).
>
> So I'm interested what you recommend for this?
nothing so far, we have no experience with doing this at all :) so thanks for
bringing this up here!
> Running an own
> instance of the snapshot.d.o software?
I guess this is overkill but I have never tried this. Also I dont think
snapshot.d.o already has code to archive .buildinfo files, cc:ing the mailing
list to get feedback on this.
> Keep all versions in one repo?
I think that's what I would suggest. Currently we only have a patch for dak to
support keeping .buildinfo files, I think a wishlist bug against reprepro is
in order! :-)
IOW: for a qubes repo I would probably suggest to use reprepro, not dak.
> What about the .buildinfo files?
see above :)
cheers,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20160125/191da993/attachment.sig>
More information about the rb-general
mailing list