[rb-general] reproducible .debs outside of the Debian archive

HW42 hw42 at ipsumj.de
Mon Jan 25 23:29:19 CET 2016

Jérémy Bobbio:
> HW42:
>> reprepro unfortunately can't handle multiple version of a package in
>> one repo. After a quick search it seems aptly is suitable.
> reprepro has a `gensnapshot` command that might help to archive older
> versions though.

My current plan (for Qubes) was to have an "archive" repo which contains
all old versions. This has the advantage that you don't have to search
for the right snapshots.

>> Before filling a wishlist bug, we should think about what the desired
>> behavior is. Where should the .buildinfo be saved? How should they be
>> indexed?
> This is still pretty much in flux as we are still waiting for feedback
> from the ftpmasters.
>> IIRC the plan for dak was some separate tar-archive with all the
>> .buildinfo files? Will it be signed?
> The archive will not be signed directly, but its hash should be in the
> Release file which is signed.

Ok (That counts as signed in the context of my question).

When a new package is uploaded the archive will be regenerated?

Is there some bug/ML-thread where the details are discussed?

> The .buildinfo files themselves are signed just like .dsc files.

Yes, this is clear. This is done by the builder. I was thinking of the
.buildinfo index.

>> Is there some interface planed where I can get a single .buildinfo?
> Maybe on <http://metadata.ftp-master.debian.org/>. Again, there are
> still no definite answers at the moment. If you have suggestions, go
> ahead.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20160125/03aa3edb/attachment.sig>

More information about the rb-general mailing list