[rb-general] reproducible .debs outside of the Debian archive
HW42
hw42 at ipsumj.de
Mon Jan 25 17:30:50 CET 2016
Holger Levsen:
>> Running an own instance of the snapshot.d.o software?
>
> I guess this is overkill but I have never tried this. Also I dont
> think snapshot.d.o already has code to archive .buildinfo files,
> cc:ing the mailing list to get feedback on this.
>
>> Keep all versions in one repo?
>
> I think that's what I would suggest.
Ok, great; that was also my expectation.
> Currently we only have a patch for dak to support keeping .buildinfo
> files, I think a wishlist bug against reprepro is in order! :-)
>
> IOW: for a qubes repo I would probably suggest to use reprepro, not
> dak.
reprepro unfortunately can't handle multiple version of a package in one
repo. After a quick search it seems aptly is suitable.
Before filling a wishlist bug, we should think about what the desired
behavior is. Where should the .buildinfo be saved? How should they be
indexed?
For the single repo case I think the .buildinfo files can be either be
simply stored directly beside the .deb or in a buildinfo directory.
The more interesting question is how they should be indexed, and if the
index should be signed?
IIRC the plan for dak was some separate tar-archive with all the
.buildinfo files? Will it be signed? Is there some interface planed
where I can get a single .buildinfo?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20160125/da61d807/attachment.sig>
More information about the rb-general
mailing list