[rb-general] Comparison of the Debian and Arch .buildinfo approaches (was: Re: buildinfo filename convention)

Eli Schwartz eschwartz at archlinux.org
Mon Aug 13 18:56:07 CEST 2018

On 8/9/18 2:32 PM, Arnout Engelen wrote:
> 1) as demonstrated above, sharing and checking that the package was
> successfully reproduced across 'slightly different' environments is
> much easier with the Debian approach.

This seems to be mostly academic, as anyone who can reproduce in
slightly different environments should be able to reproduce in identical
environments too.

Admittedly we don't yet have established tooling for seeding this
environment, which mostly revolves around getting the right Arch
packages into the chroot usually used for doing clean builds.

If you're running experimental testbeds to fuzz for upstream issues,
then you'll probably be using tools like diffoscope which can
intelligently exclude files that don't matter.

> 2) with the Arch approach, it is relatively 'expensive' to add new
> fields to the .BUILDINFO, as also 'irrelevant' differences in the
> .BUILDINFO lead to different packages. There is no such cost in the
> Debian approach: as long as package hash in the the signed .buildinfo
> is OK, all is OK. Adding (possibly-irrelevant) fields to .buildinfo
> can be useful for tracking down sources of accidental
> non-reproducibility, so it is nice if this is cheap.
Again as Levente said, new .BUILDINFO fields will come part and parcel
with new versions of `makepkg` itself, the version number for which is
already part of the metadata. (This includes git versions)

It is not just part of the .BUILDINFO via the installed version of
pacman. It's also a comment string in the .PKGINFO:
"# Generated by makepkg 5.1.1"

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20180813/c3b1af04/attachment.sig>

More information about the rb-general mailing list