[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad interaction between pbuilder/debhelper/dpkg-buildinfo/dpkg-genchanges and dak on security-master



On Sun, 2017-07-09 at 15:41 +0100, James Clarke wrote:
>  You've done the build, so by uploading the _amd64.buildinfo
> you are announcing that you were able to produce those build results in the
> specified environment, and in theory it allows anyone to compare the buildd's
> results to what you claim to have been able to build, without you ever having
> to upload the binaries (yes, throwing away binary uploads would allow you to do
> this, but *you would still want to upload and keep the _amd64.buildinfo
> otherwise you have nothing to compare against and you might as well have just
> done a source-only upload*).

Actually, I've done the build just to be sure what I'm uploading does build.
But I'm doing a source-only upload, I'm uploading only the _sources.changes
that pbuilder requests generating (with SOURCE_ONLY_CHANGES=yes in
.pbuilderrc), but the build does produce and _amd64.changes too (which I don't
touch).

Regards,
-- 
Yves-Alexis

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: