[rb-general] Comparison of the Debian and Arch .buildinfo approaches (was: Re: buildinfo filename convention)
Holger Levsen
holger at layer-acht.org
Sat Aug 18 18:46:12 CEST 2018
On Thu, Aug 09, 2018 at 08:32:20PM +0200, Arnout Engelen wrote:
> On Thu, Aug 9, 2018 at 7:15 PM, Eli Schwartz <eschwartz at archlinux.org> wrote:
> > I'm curious what your opinion is on how Arch Linux implemented this. We
> > tar up the .BUILDINFO file inside the package archive.
>
> Thanks for the pointers, I wasn't aware of that! I'll try to summarize
> my understanding here, feel free to amend ;)
>
> The Arch .BUILDINFO is quite different (in format and fields) from the
> Debian .buildinfo, though they overlap in purpose. Compare for example
> the .BUILDINFO inside of
> https://www.archlinux.org/packages/core/any/archlinux-keyring/download/
> with the one shared at
> https://buildinfo.debian.net/9c6bf8bdfac8e3f427c7610bc66e364a3045ba8a/openturns_1.11-2_all.buildinfo
thanks for sharing your comparison! Indeed, the purpose is the same, but
not the implementation.
Plus there are more implementations (suse has one, though I lack good
reference pointers), and others are missing AFAIK (Tails, OpenWrt,
Webconverger come to my mind immediatly).
as such, it is difficult to point interested parties to a coherent
description of what .buildinfos are - and what they should be.
.
> The main difference is Arch includes the .BUILDINFO inside the package
> and signs the whole package, where in Debian the .buildinfo is outside
> of the package (but contains its hash) and is signed separately.
>
> This means when a rebuilder successfully rebuilds in the same
> environment, there is no big difference: on Arch he can share a second
> signature of the same package, and on Debian he can share a second
> signed .buildinfo containing the same hash.
the main difference is that having the .BUILDINFO file is not enough to
(create and) verify an Archlinux package, because by this design the
.BUILDINFO file cannot contain a checksum of the package as the
.BUILDINFO file is part of it and thus would modify the result...
Also one needs to download a full binary package (potentially dozens of
megabytes) to rebuild (and verify) it and even then one will have to
exclude part of the package (the .buildinfo) and thus cannot simply
compare the checksums, unless the created .BUILDINFO is also bit by bit
identical. (While in the Debian case it's trivial to determine whether
two builds with slightly different .buildinfo files still have produced
identical packages...)
> While the Arch approach has the advantage that the .BUILDINFO is more
> 'tied' to the package
yet I fail to see the practical *benefits* of this approach, except that
it was probably easier to implement. I do however see some downsides
with it. (As explained above and elsewhere in this thread.)
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds).org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20180818/66debce8/attachment.sig>
More information about the rb-general
mailing list