Evaluation of bundling .buildinfo in .deb proposal
eschwartz at archlinux.org
Tue Sep 1 17:56:05 UTC 2020
On 9/1/20 12:58 PM, Chris Lamb wrote:
> Hi kpcyrd,
>> - What was the original motivation of putting the size and checksum of the
>> package into the buildinfo file? We aren't tracking this info in Arch Linux
>> and it turned out we didn't need those fields to implement a rebuilder.
> This was interesting to me as I think I am missing something about
> your particular goals, Arch's build architecture, or Arch's approach
> to Reproducible Builds.
> Assuming that the purpose of a rebuilder is to independently validate
> that you get the same result given some build environment (i.e. not
> *simply* to rebuild, despite its name), without access to those checksums,
> how do you know if the output from a rebuilder counts as "valid" or not?
Instead of distributing a debian-buildinfo containing both
- the buildinfo (build environment description)
- a hash of the output
- the output
which contains, inside it, the buildinfo.
So our rebuilder receives a binary package as input, which means it
still gets the checksum as input,
> (I might guess that you are getting them from somewhere else, but some
> clarification might be useful here.)
>> Sorry for being rather Arch centric in this email, but I think it's a good idea
>> to ensure you're familiar with how other distros solved the problem that
>> debian is facing since a few years.
> Nothing to apologise for. However, as I alluded to above, it may be
> that Debian has different goals, rather than this is Debian being
> obstinate and unwilling to look at other distributions' solutions that
> you may have inadvertently been implying.
> Best wishes,
> ⬋ ⬊ Chris Lamb
> o o reproducible-builds.org 💠
> ⬊ ⬋
Arch Linux Bug Wrangler and Trusted User
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1601 bytes
Desc: OpenPGP digital signature
More information about the rb-general