On 2016-07-25, Jonathan McDowell wrote: > I propose instead a Buildinfo.xz (or gz or whatever) file, which is > single text file with containing all of the buildinfo information that > corresponds to the Packages list. What is lost by this approach are the > OpenPGP signatures that .buildinfo files can have on them. I appreciate > this is an important part of the reproducible builds aim, but I believe > one of its strengths is the ability for multiple separate package builds > to attest that they have used that buildinfo information to build the > exact same set of binary artefacts. This is not something that easily > scales on the archive network and I think it is better served by a > separate service; it would be possible to take the package snippet from > the buildinfo file and sign that alone, uploading the signature to the > attestation service. For "normal" Debian operation the usual archive > signatures would provide a basic level of attestation of chain of build > information. > > The rest of this mail continues on the above assumptions. If you do not > agree with the above the below is probably null and void, so ignore it > and instead educate me about what the requirements are and I'll try and > adjust my ideas based on that. > > So. If a single Buildinfo.xz file is acceptable, with the attestation > being elsewhere, I think this is doable without too much hackery in dak. > There are some trade-offs to make though, and I need to check which are > acceptable and which are viewed as too much.
I just wanted to give a huge thanks for taking a good look at this, even if it isn't exactly what has been specced out by earlier reproducible-builds discussions. Evaluating a somewhat different approach, especially if it turns out to be more feasible (at least from some angles), is really valuable in my eyes. FWIW, I wasnt involved in the discussions spelling out what the reproducible builds projects wanted in the archive, so I don't have much concrete to say, but you've clearly given some serious thought and effort to this, so I didn't want it to slip through the cracks! I tried to read through some of the documentation I could find: https://wiki.debian.org/ReproducibleBuilds/BuildinfoSpecification https://reproducible-builds.org/events/athens2015/debian-buildinfo-review/ https://reproducible-builds.org/events/athens2015/buildinfo-content/ Having reviewed the above, there doesn't seem to be a huge conflict that you haven't at least considered already. Hopefully, someone with more history and context with the .buildinfo file discussions can chime in soonish... live well, vagrant
signature.asc
Description: PGP signature
