Reproducible Builds Verification Format

Holger Levsen holger at
Wed May 20 14:17:56 UTC 2020


i'm just replying to two small sub points here, I still need to find
the time for a proper general reply. (Besides: YAY, I'm glad we're
finally having this discussion here and several proposals to discuss!)

On Wed, May 13, 2020 at 08:31:21PM +0000, kpcyrd wrote:
> The buildinfo is an output of the initial build and becomes an input for
> the rebuilder, but a rebuilder is always going to use the official
> buildinfo when verifying the official package. I'm not sure if the
> buildinfo of a rebuilder would be useful.

think about a malicious initial build. in this case it would be very useful
to be able to detect that all the rebuilds get the same result, differing
from the initial build.
> > Also, I think one build can result in multiple buildinfo's, and each
> > buildinfo
> > might in turn cover multiple output files. Perhaps the 'artifacts' field
> > could
> > be layered to reflect that structure?
> As far as I know there's only one buildinfo output per build. In Arch
> Linux this file...

I'm not sure you ment 'one buildinfo file per build' but openwrt produces
3 .buildinfo files for each build.

Also it is imaginable that a source build which creates X artifacts also
creates X .buildinfo files. (And sometimes I wish that Debian would do that.)


       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the rb-general mailing list