[rb-general] reproducible .debs outside of the Debian archive

HW42 hw42 at ipsumj.de
Mon Jan 25 17:30:50 CET 2016

Holger Levsen:
>> Running an own instance of the snapshot.d.o software?
> I guess this is overkill but I have never tried this. Also I dont
> think snapshot.d.o already has code to archive .buildinfo files,
> cc:ing the mailing list to get feedback on this.
>> Keep all versions in one repo?
> I think that's what I would suggest.

Ok, great; that was also my expectation.

> Currently we only have a patch for dak to support keeping .buildinfo
> files, I think a wishlist bug against reprepro is in order! :-) 
> IOW: for a qubes repo I would probably suggest to use reprepro, not
> dak.

reprepro unfortunately can't handle multiple version of a package in one
repo. After a quick search it seems aptly is suitable.

Before filling a wishlist bug, we should think about what the desired
behavior is. Where should the .buildinfo be saved? How should they be

For the single repo case I think the .buildinfo files can be either be
simply stored directly beside the .deb or in a buildinfo directory.

The more interesting question is how they should be indexed, and if the
index should be signed?

IIRC the plan for dak was some separate tar-archive with all the
.buildinfo files? Will it be signed? Is there some interface planed
where I can get a single .buildinfo?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20160125/da61d807/attachment.sig>

More information about the rb-general mailing list