[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: reproducible .buildinfo inclusion in the archive and output by dpkg

Holger Levsen <holger@layer-acht.org> writes:
> together with Lunar we four sad together on the last Saturday of DebConf15 in 
> Heidelberg and discussed the next steps forward to achieve the inclusion of 
> .buildinfo inclusion in the Debian archive and output by dpkg.
> On the ftpmaster side we agreed that:
> - dak/queued has to be changed to accept .buildinfo files
> - will be stored on ftp-master, concatted and compressed it will be exposed to 
> the mirrors
>  - one per arch + suite, aka for each Packages file

How large are these? I'm sure the snapshot.d.o maintainers would prefer
something that does not change with each mirror push, or is not part of
the dists/ tree pushed to mirrors.

> - Packages file gets a certfied-by field:
>         Build-Signed-Off-By:  0603CCFD91865C17E88D4C798382C95C29023DF9 Jérémy 
> Bobbio <lunar@debian.org> which should include the checksum of the .buildinfo 
> file (or maybe not, see above)

I think having an external service for these is better: otherwise we
have to deal with who can add signatures, and probably would limit it to
people in Debian's keyring (I don't want ftp-master to deal with
external parties).  A seperate service could accept signatures from
everybody, including parties not directly involved in Debian or
automated systems.

Also adding even more data to the Packages indicies is something I would
like to avoid: the files are already quite large.


Reply to: