Reproducible Builds Verification Format

[kpcyrd]

On Wed, May 13, 2020 at 09:39:40AM +0200, Arnout Engelen wrote:
> This seems useful, though I think it is helpful to describe the
> relationship between
> the 'buildinfo' and such a 'rebuild result'.
> 
> It is already common practice for a reproducible build to record a
> 'buildinfo' with
> information about how/where/etc the build was created (e.g.
> https://reproducible-builds.org/docs/recording/).
> A nice property of such a buildinfo is that it can be created just from the
> sources and dependencies, without needing access to any 'previous builds'
> of the same artifacts - so the process is the same for 'initial builders'
> and
> rebuilders.
> 
> I think rebuilders should definitely sign and share the buildinfo's produced
> by their (re)builds of the artifacts. On top of that, I agree it'd be
> helpful to
> collect buildinfo's, compare them, and publish a 'reproduction report' in a
> uniform way such as how you describe.

The buildinfo is an output of the initial build and becomes an input for
the rebuilder, but a rebuilder is always going to use the official
buildinfo when verifying the official package. I'm not sure if the
buildinfo of a rebuilder would be useful.

> Also, I think one build can result in multiple buildinfo's, and each
> buildinfo
> might in turn cover multiple output files. Perhaps the 'artifacts' field
> could
> be layered to reflect that structure?

As far as I know there's only one buildinfo output per build. In Arch
Linux this file is copied into the binary packages, in debian it's
published as "this is the buildinfo file for this version of this source
package" that can then be used to setup the build environment that all
binary packages have been built in. Please correct me if I'm wrong.