On 2019-11-14, Chris Lamb wrote: >> It would be nice if lintian checked for the presence of a .buildinfo >> file when processing a .changes file. > > I'm obviously sold on the idea of .buildinfo files but what error or > mistake might such a missing file imply on behalf of the developer? I'm not sure it's a mistake, per se, but suggests that they're using very old tooling to build packages, or home-grown tooling, both of which might have various bugs... but that seems a weak argument to me. My goal in filing this bug is to gently nudge developers to include developer built .buildinfo files, and ideally sign them as well, which increases the number of .buildinfo files we are able to use to verify a given build. It is in Debian policy that packages *should* be reproducible, and .buildinfo files are a cruicial element to be able to demonstrate and verify that packages are reproducible. Ideally with a source-only upload, every build would have at least one .buildinfo from the build daemon and one .buildinfo from the developer who submitted the source package and at least two potential points of convergence. I would think something at the info or pedantic level would be most appropriate at this point in time, if deemed appropriate at all... All of which you're probably well aware, but at least this is forcing me to think it out more verbosely... Maybe lintian isn't the right place for this (yet), but happy to have started and to continue the conversation. live well, vagrant
Attachment:
signature.asc
Description: PGP signature