[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [rb-general] reproducible .debs outside of the Debian archive


(full quote for the benefit of the newly cc:ed readers…)

On Samstag, 23. Januar 2016, HW42 wrote:
> Qubes has, like a bunch of other projects, an own apt repo.
> Thanks to the work of the Debian reproducible builds project it's in the
> most cases pretty easy to get the packages reproducible. But to get
> "real" reproducible builds you need to record the required parts of the
> build environment (the patched dpkg does this already by creating a
> .buildinfo file) and the user needs to be able to reproduce the
> environment (the srebuild-script is still WIP).
> But this also requires to archive all source and binary packages and the
> .buildinfo files. Debian has snapshot.debian.org for this (the
> .buildinfo support is still WIP).
> So I'm interested what you recommend for this?

nothing so far, we have no experience with doing this at all :) so thanks for 
bringing this up here!

> Running an own
> instance of the snapshot.d.o software?

I guess this is overkill but I have never tried this. Also I dont think 
snapshot.d.o already has code to archive .buildinfo files, cc:ing the mailing 
list to get feedback on this.

> Keep all versions in one repo?

I think that's what I would suggest. Currently we only have a patch for dak to 
support keeping .buildinfo files, I think a wishlist bug against reprepro is 
in order! :-) 

IOW: for a qubes repo I would probably suggest to use reprepro, not dak.

> What about the .buildinfo files?

see above :)


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: