Evaluation of bundling .buildinfo in .deb proposal
kpcyrd at rxv.cc
Mon Aug 31 18:05:41 UTC 2020
I'm a bit short on time, sorry in advance if the email is a little short/blunt:
- What was the original motivation of putting the size and checksum of the
package into the buildinfo file? We aren't tracking this info in Arch Linux
and it turned out we didn't need those fields to implement a rebuilder.
Please consider simply dropping those fields instead of trying to build a
tool to work around this.
In Arch Linux we consider the buildinfo file a build parameter to ensure the
build environment is always identical, but strictly speaking it's not a build
output (even though it's generated during the package build, but you can
generate it without actually running the whole build). Having access to the build
outputs is not necessary and out of scope of "recording the build
environment". In my opinion everything in the buildinfo file that goes beyond
"a collection of parameters for the build" is feature-creep at the cost of
This also solves the .changes problem (if I understood it correctly). The
buildinfo file is available very early (as long as you stop referencing build
outputs) and you can simply include it when creating the deb in the first
place instead of manipulating it afterwards.
- The current debian reproducible builds effort is very focused on debian.org,
but virtually none of that can be downstreamed by debian derivates. Having
externally hosted buildinfo files is an effort that every downstream would
need to repeat and every rebuilder need to know about. All Arch Linux
downstreams I've checked ship buildinfo files, while zero debian downstreams
do. This is an advantage that's currently not mentioned yet.
- The "having the buildinfo file in the binary package is wasteful" argument is
a micro optimization that pushes a non-trivial amount of extra complexity on
the debian r-b developers. Considering that debian rebuilder tooling is still
very sparse due to the lack of developer resources I'm not sure that's a
- I don't understand the concern about source-only uploads. The uploader can't
know the build environment that buildd is going to setup, therefore the
buildinfo file needs to be generated by buildd anyway.
Sorry for being rather Arch centric in this email, but I think it's a good idea
to ensure you're familiar with how other distros solved the problem that
debian is facing since a few years.
More information about the rb-general