[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building Debian source packages reproducibly (was: Re: [RFC] Proposal for new source format)

Hi Ian,

On Mon, Oct 28, 2019 at 05:53:00PM +0000, Ian Jackson wrote:
> The sticking point, as I understand it, is that this still does not
> allow dak to verify that the *contents* of the .dsc were as intended
> by the uploading human. [0]
> In the tag2upload proposal, the conversion from git tag to dsc is
> `merely' done by an official Debian service on an official Debian
> machine, and is `merely' fully reproducible and auditable.
> But this is not good enough for some ftpmasters, who want that
> verification to be done *by dak*.  Various people attempted in the
> previous thread on this topic to find out *why* this is thought
> important, without apparent success.

I fear I'll have to side with "some ftpmasters" here. As a user, I also
want this verification work in both ways. Going from tag to upload is
insufficient in my view. What I want is "apt source" with history. This
is not debcheckout. I want the exact tree (tag) that matches unstable
including its git history in a way that exactly reproduces the build
failure seen on the source package.

In other words, I want these formats (source package and tagged git
tree) to be isomorphic (minus history). This requirement is too strong
since not every source package will have a corresponding tag, but when
there is a tag, I want to safely go from source package to tag and back
again and arrive where I started from. This property allows me to start
from a git tree that is authenticated by dak rather than a random git
tree on a random git server of questionable origin.

This backwards-connection seems to be missing thus far, but I do find it
important for the reasons above. Adding it would easily allow dak to
validate the signature on the tag.


Reply to: