[rb-general] Reproducing sbt-reproducible-builds

Hervé Boutemy hboutemy at apache.org
Sun Dec 23 15:07:53 CET 2018 

Le dimanche 23 décembre 2018, 14:01:47 CET Arnout Engelen a écrit :
> On Sun, Dec 23, 2018 at 1:48 PM Hervé Boutemy <hboutemy at apache.org> wrote:
> > now I get the same hash: good news
> 
> Great!!
> 
> > then I could publish somewhere that I was able to reproduce this sbt-
> > reproducible-builds-0.19.jar file
> > 
> > how?
> 
> I think the most sensible way to achieve this is to share (and sign)
> your own buildinfo.
> 
> > append my own signature to sbt-reproducible-builds.jar.asc?
> > in your original repository or in a separate repository that would be
> > append only on such .asc files?
> 
> I think it would make sense to simply upload your own uniquely-named
> buildinfo and accompanying signature to a separate
> "certification/attestation repository", to which anyone can upload
> (append only) additional buildinfo's and signatures.
"uniquely-named buildinfo": good catch, I didn't even think at this detail.
To me, this is the additional detail that makes this scenario not viable: what 
algorithm to create uniquely named files? and how would people just wanting to 
benefit from the rebuild signature list the files? 
I already did not think that additional file was a good scenario, since this 
would mean 1 or 2 files per rebuilder (pgp signature + eventual separate 
buildinfo), then thousands of files (let's be optimistic and think many many 
people will rebuild  )

that's why I thought at appending personal signature appended to existing 
.asc: this does not add new files, just grows the existing files
and makes the discovery of others signatures quite easy

Do you know if some other strategy for rebuilders has been discussed during 
Reproducible Builds day in Paris (be it for any other type of repository)?


Regards,

Hervé

> 
> 
> Kind regards,
> 
> Arnout
> _______________________________________________
> rb-general at lists.reproducible-builds.org mailing list
> 
> To change your subscription options, visit
> https://lists.reproducible-builds.org/listinfo/rb-general.
> 
> To unsubscribe, send an email to
> rb-general-unsubscribe at lists.reproducible-builds.org.

More information about the rb-general mailing list