Evaluation of bundling .buildinfo in .deb proposal

Eli Schwartz eschwartz at archlinux.org
Tue Sep 1 17:56:05 UTC 2020

On 9/1/20 12:58 PM, Chris Lamb wrote:
> Hi kpcyrd,
>> - What was the original motivation of putting the size and checksum of the
>>   package into the buildinfo file? We aren't tracking this info in Arch Linux
>>   and it turned out we didn't need those fields to implement a rebuilder.
> This was interesting to me as I think I am missing something about
> your particular goals, Arch's build architecture, or Arch's approach
> to Reproducible Builds.
> Assuming that the purpose of a rebuilder is to independently validate
> that you get the same result given some build environment (i.e. not
> *simply* to rebuild, despite its name), without access to those checksums,
> how do you know if the output from a rebuilder counts as "valid" or not?

Instead of distributing a debian-buildinfo containing both
- the buildinfo (build environment description)
- a hash of the output

you distribute
- the output

which contains, inside it, the buildinfo.

So our rebuilder receives a binary package as input, which means it
still gets the checksum as input,

> (I might guess that you are getting them from somewhere else, but some
> clarification might be useful here.)
>> Sorry for being rather Arch centric in this email, but I think it's a good idea
>> to ensure you're familiar with how other distros solved the problem that
>> debian is facing since a few years.
> Nothing to apologise for. However, as I alluded to above, it may be
> that Debian has different goals, rather than this is Debian being
> obstinate and unwilling to look at other distributions' solutions that
> you may have inadvertently been implying.
> Best wishes,
> --
>       o
>     ⬋   ⬊      Chris Lamb
>    o     o     reproducible-builds.org 💠
>     ⬊   ⬋
>       o

Eli Schwartz
Arch Linux Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20200901/5b5082d5/attachment.sig>

More information about the rb-general mailing list