[rb-general] Core Debian reproducibility: how close?

Santiago Torres santiago at nyu.edu
Tue Oct 23 20:47:42 CEST 2018


> In short: It's hard for me to tell "what's left to do for real Debian (at least
> its required parts) to be reproducible?"

Hi, I don't know if i'm missing context on the "theory to practice"
aspect of it, but it appears that this is something we're trying to fix
using the debian rebuilder setup and the buildinfo archive:

    https://buildinfo.debian.net/

The rebuilder will basically reproduce a package in distinct
infrastructure and post an attestation about this action. Here's our
repo:

    https://salsa.debian.org/reproducible-builds/debian-rebuilder-setup/tree/integrate-srebuild

The idea longerm would be to enforce theshold signing on reproducible
packages using something akin to in-toto*:

    https://in-toto.github.io/

I'll say there's something along this lines already on the works, but
it's not released yet.

I don't know how much this helps contextualize your question though...

Thanks,
-Santiago.

* (disclaimer, I'm the lead dev on in-toto...)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20181023/de5ba2a0/attachment.sig>


More information about the rb-general mailing list