[rb-general] Comparison of the Debian and Arch .buildinfo approaches (was: Re: buildinfo filename convention)

Arnout Engelen arnout at bzzt.net
Thu Aug 16 12:06:20 CEST 2018

On Mon, Aug 13, 2018 at 6:56 PM, Eli Schwartz <eschwartz at archlinux.org> wrote:
> On 8/9/18 2:32 PM, Arnout Engelen wrote:
>> 1) as demonstrated above, sharing and checking that the package was
>> successfully reproduced across 'slightly different' environments is
>> much easier with the Debian approach.
> This seems to be mostly academic, as anyone who can reproduce in
> slightly different environments should be able to reproduce in identical
> environments too.
> Admittedly we don't yet have established tooling for seeding this
> environment, which mostly revolves around getting the right Arch
> packages into the chroot usually used for doing clean builds.

Right! In some cases it can be hard to create 'completely identical'
environments, and being able to easily find additional matching
attestations from 'slightly different' environments can increase
confidence in a build at low cost.

Having the .BUILDINFO inside the package is probably fine for Arch,
and certainly does not weaken the security in any meaningful way,
but you asked for my opinion/comparison and you got it :D.


More information about the rb-general mailing list