[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [rb-general] reproducible .debs outside of the Debian archive

Jérémy Bobbio:
> HW42:
>> reprepro unfortunately can't handle multiple version of a package in
>> one repo. After a quick search it seems aptly is suitable.
> reprepro has a `gensnapshot` command that might help to archive older
> versions though.

My current plan (for Qubes) was to have an "archive" repo which contains
all old versions. This has the advantage that you don't have to search
for the right snapshots.

>> Before filling a wishlist bug, we should think about what the desired
>> behavior is. Where should the .buildinfo be saved? How should they be
>> indexed?
> This is still pretty much in flux as we are still waiting for feedback
> from the ftpmasters.
>> IIRC the plan for dak was some separate tar-archive with all the
>> .buildinfo files? Will it be signed?
> The archive will not be signed directly, but its hash should be in the
> Release file which is signed.

Ok (That counts as signed in the context of my question).

When a new package is uploaded the archive will be regenerated?

Is there some bug/ML-thread where the details are discussed?

> The .buildinfo files themselves are signed just like .dsc files.

Yes, this is clear. This is done by the builder. I was thinking of the
.buildinfo index.

>> Is there some interface planed where I can get a single .buildinfo?
> Maybe on <http://metadata.ftp-master.debian.org/>. Again, there are
> still no definite answers at the moment. If you have suggestions, go
> ahead.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: