[rb-general] Wished field in buildinfo files (debian)

[Eli Schwartz]

On 12/7/18 8:41 AM, Vagrant Cascadian wrote:
> On 2018-12-07, Juan Picca wrote:
>> About the fields listed in the buildinfo files [1], has sense to ask
>> for the inclusion of a field with the date of the build and the
>> distribution used to use with snapshot.debian.org?
> 
> The build date may have little to no correlation with the set of
> software used to do the build...
> 
> 
>> Rationale:
>> To reproduce a package (manually for now) maybe is convenient and easy
>> for the creation of the schroot used by sbuild an url based in s.d.o
>> with the timestamp of the build and the distribution used.
>>
>> Example:
>> For example in the buildinfo file for 0ad [2] I would like a field
>> similar to (name can change):
>>
>> Build-Snapshot: /archive/debian/20181203T153211Z testing
> 
> The official Debian buildds do not use snapshots.debian.org, and may not
> even be up to date with the current packages in sid/testing/stable,
> etc.
> 
> So you can only really guess at this information; there's no way to
> programatically know which appropriate snapshot was used- in fact, there
> may not even be a single snapshot which captures all of the packages
> used in the build.
> 
> If you're doing a rebuild, I could see this as a useful hint to other
> rebuilders, if you happen to use one or more Snapshots in the build, it
> would be useful to record that information. But it would have to be
> added after dpkg generates the .buildinfo; I doubt you'll be able to get
> that sort of code into dpkg.

The Arch Linux Archive has unambiguous links to every package. We use
dated snapshots to provide a view of the package repositories at any
given time (fully functional as repository mirrors) but also provide a
non-dated link:
archive.archlinux.org/packages/f/foo/foo-version-release-architecture.fileextension

Maybe Debian could provide something similar for its snapshots?

>> Pros:
>> This is a direct field to use instead of following the steps:
>>
>> 1. Convert the Build-Date from "Tue, 04 Dec 2018 11:35:52 +1400" to
>> "20181203T213552Z" (iso8601)
>> 2. Find in https://snapshot.debian.org/archive/debian/?year=2018&month=12
>> the snapshot for that date, in this example "20181203T153211Z"
>> 3. Find the distribution in the corresponding changelog file [3] for
>> the package version: unstable
> 
> So I definitely see value in recording this information for rebuilders,
> but I don't think it will be plausible to add for builds that do not use
> snapshots.debian.org.
> 
> It's also possible to re-build a package with a different distribution
> in the changelog file, though this is rare.

Why is this allowed by the tooling, to have multiple packages that claim
to be the exact same version and distro release?

Arch does not explicitly have tooling to blacklist this, but we would
consider it a major bug if someone went ahead and did it anyway.

I thought Debian-based distros used the distribution releasename as part
of the package release field, to prevent these sort of clashes.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20181207/422da92b/attachment.sig>