Reproducible Builds Verification Format
Holger Levsen
holger at layer-acht.org
Wed May 20 14:17:56 UTC 2020
hi,
i'm just replying to two small sub points here, I still need to find
the time for a proper general reply. (Besides: YAY, I'm glad we're
finally having this discussion here and several proposals to discuss!)
On Wed, May 13, 2020 at 08:31:21PM +0000, kpcyrd wrote:
> The buildinfo is an output of the initial build and becomes an input for
> the rebuilder, but a rebuilder is always going to use the official
> buildinfo when verifying the official package. I'm not sure if the
> buildinfo of a rebuilder would be useful.
think about a malicious initial build. in this case it would be very useful
to be able to detect that all the rebuilds get the same result, differing
from the initial build.
> > Also, I think one build can result in multiple buildinfo's, and each
> > buildinfo
> > might in turn cover multiple output files. Perhaps the 'artifacts' field
> > could
> > be layered to reflect that structure?
> As far as I know there's only one buildinfo output per build. In Arch
> Linux this file...
I'm not sure you ment 'one buildinfo file per build' but openwrt produces
3 .buildinfo files for each build.
Also it is imaginable that a source build which creates X artifacts also
creates X .buildinfo files. (And sometimes I wish that Debian would do that.)
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20200520/8268d8b4/attachment.sig>
More information about the rb-general
mailing list