Evaluation of bundling .buildinfo in .deb proposal

[kpcyrd]

I'm a bit short on time, sorry in advance if the email is a little short/blunt:

- What was the original motivation of putting the size and checksum of the
  package into the buildinfo file? We aren't tracking this info in Arch Linux
  and it turned out we didn't need those fields to implement a rebuilder.
  Please consider simply dropping those fields instead of trying to build a
  tool to work around this.

  In Arch Linux we consider the buildinfo file a build parameter to ensure the
  build environment is always identical, but strictly speaking it's not a build
  output (even though it's generated during the package build, but you can
  generate it without actually running the whole build). Having access to the build
  outputs is not necessary and out of scope of "recording the build
  environment". In my opinion everything in the buildinfo file that goes beyond
  "a collection of parameters for the build" is feature-creep at the cost of
  complexity.

  This also solves the .changes problem (if I understood it correctly). The
  buildinfo file is available very early (as long as you stop referencing build
  outputs) and you can simply include it when creating the deb in the first
  place instead of manipulating it afterwards.

- The current debian reproducible builds effort is very focused on debian.org,
  but virtually none of that can be downstreamed by debian derivates. Having
  externally hosted buildinfo files is an effort that every downstream would
  need to repeat and every rebuilder need to know about. All Arch Linux
  downstreams I've checked ship buildinfo files, while zero debian downstreams
  do. This is an advantage that's currently not mentioned yet.

- The "having the buildinfo file in the binary package is wasteful" argument is
  a micro optimization that pushes a non-trivial amount of extra complexity on
  the debian r-b developers. Considering that debian rebuilder tooling is still
  very sparse due to the lack of developer resources I'm not sure that's a
  smart trade-off.

- I don't understand the concern about source-only uploads. The uploader can't
  know the build environment that buildd is going to setup, therefore the
  buildinfo file needs to be generated by buildd anyway.

Sorry for being rather Arch centric in this email, but I think it's a good idea
to ensure you're familiar with how other distros solved the problem that
debian is facing since a few years.