Re: tag2upload service architecture and risk assessment - draft v2
Holger Levsen writes ("Re: tag2upload service architecture and risk assessment - draft v2"):
> On Wed, Aug 28, 2019 at 05:07:00PM +0100, Ian Jackson wrote:
> > In my proposal the source package is reproducible (in the
> > "reproducible builds" sense) from the uploader's signed git tag.
>
> i'm confused. 'reproducible builds' is about creating bit by bit
> identical binaries from a given source.
>
> if you are talking about re-creating bit by bit identical source
> packages, that's fine, but nothing within the scope of reproducible
> builds.
Sorry for the confusion. When I wrote
reproducible (in the "reproducible builds" sense)
I wasn't saying that this is somehow part of, or within the scope of,
the reproducible builds project. I was just clarifying what the word
"reproducible" meant in my sentence: I am using the word
"reproducible" the same way that the reproducible builds project uses
it - ie I am borrowing that definition of reproducible. (That's what
"X (in the Y sense)" means.)
I was indeed clarifying that I do mean bit-by-bit identical. In this
case, bit-by-bit identical dsc (apart from the signature of course),
from (i) git tag (ii) _source.buildinfo containing tools versions etc.
> also, as a side note, we have tried to reproduce bit by bit identical
> source packages, failed and moved on. it didnt seem trival when we
> tried.
I remember some of those discussions. I'm pretty sure it's possible
in my context, although there are as you say some difficulties with it
in the wider reproducible builds context.
I hope that helps.
Thanks,
Ian.
--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Reply to: