[rb-general] Comparison of the Debian and Arch .buildinfo approaches (was: Re: buildinfo filename convention)

Levente Polyak levente at leventepolyak.net
Sat Aug 18 19:51:43 CEST 2018

On August 18, 2018 6:46:12 PM GMT+02:00, Holger Levsen <holger at layer-acht.org> wrote:
>> The main difference is Arch includes the .BUILDINFO inside the
>> and signs the whole package, where in Debian the .buildinfo is
>> of the package (but contains its hash) and is signed separately.
>> This means when a rebuilder successfully rebuilds in the same
>> environment, there is no big difference: on Arch he can share a
>> signature of the same package, and on Debian he can share a second
>> signed .buildinfo containing the same hash.
>the main difference is that having the .BUILDINFO file is not enough to
>(create and) verify an Archlinux package, because by this design the
>.BUILDINFO file cannot contain a checksum of the package as the
>.BUILDINFO file is part of it and thus would modify the result...
>Also one needs to download a full binary package (potentially dozens of
>megabytes) to rebuild (and verify) it and even then one will have to
>exclude part of the package (the .buildinfo) and thus cannot simply
>compare the checksums, unless the created .BUILDINFO is also bit by bit
>identical. (While in the Debian case it's trivial to determine whether
>two builds with slightly different .buildinfo files still have produced
>identical packages...)

I believe all your points here are addresses in my comprehensive
explanation in this thread and why in fact don't need the binary
package per se but just the buildinfo file plus the detached package
signature f.e.. 
Especially nobody shall ever check reproducibility by ignoring any
pieces, that defeats the purpose but as written that is not required
at all. 

I still, as explained, strongly believe that slightly varying environments
in terms of package versions is just an academic and theoretical
advantage and the only real advantage I see is additional non
required information to track down potential sources of

Maybe you missed my response? :-)
Cheers and have a nice evening,

More information about the rb-general mailing list