Reproducible Builds Verification Format

[kpcyrd]

I think it makes sense to clarify who's supposed to consume the output,
almost all of the data in there is only useful for plumbing by r-b and
distro people and I don't think that needs to be signed beyond transport
security.

The target "audience" of a rebuilder are package managers like pacman
and apt that decide if they are going to install or reject the given
package. pacman doesn't care about the buildlog, diffoscope or the
specific failure reason. If we distribute attestations on a per-package
basis we also already knows the version, the distro and the package name
this attestation is supposed to belong to.

The only thing pacman cares about is "did this rebuilder successfully
verify this package" and only the "yes" case needs additional proof with
a signature, every other case boils down to "no". I'd prefer to check if
in-toto already solves this problem.

I'm also not sure if there's value in comparing *verification* results
cross distro, because it's definitely interesting if the build is found
to be *deterministic* in another distro (as tested by
tests.reproducible-builds.org and correlated by
ismypackagereproducibleyet.org), but *verification* failures are almost
by definition distro specific if the PKGBUILD/source package passed the
CI on tests.r-b.o.

I think before we consider standardizing anything cross-distro we should
wait until debian has reached 1% independently verified. Considering
that debian tends to be more special than other distros I'd feel
uncomfortable committing to a standard with zero debian-rebuilder
experience. There could be something essential missing for all we know.