Jonathan McDowell:
> On Sat, Aug 20, 2016 at 03:13:00PM +, Ximin Luo wrote:
>> I have trouble imagining what could make Buildinfo.tgz hard, but make
>> Buildinfo.xz easy - could you explain this in more detail, please?
>
> Debian's archive information is largely stored within a database;
Jonathan McDowell:
> On Sat, Aug 20, 2016 at 03:13:00PM +, Ximin Luo wrote:
>> Note that the builder is a *distinct entity* from the distribution.
>> It's important to keep the *original* signature by B on C. It breaks
>> our security logic, to strip the signature and re-sign C using (e.g.)
>>
On Sat, Aug 20, 2016 at 03:13:00PM +, Ximin Luo wrote:
> Jonathan McDowell:
> > Having been impressed by the current status of reproducible builds
> > and the fact it looks like we're close to having the important
> > pieces in Debian proper, I have started to have a look at how I
> > could
Hey, Lunar has stopped doing reproducible builds as a regular thing, and I'm
taking over his previous responsibilities. I was also the main other person in
formulating the ideas behind the "next iteration" of buildinfo, that dkg
described in message #10 earlier in this thread, with Message-ID
Hi Jonathan,
Quoting Jonathan McDowell (2016-07-25 22:29:39)
> Having been impressed by the current status of reproducible builds and
> the fact it looks like we're close to having the important pieces in
> Debian proper, I have started to have a look at how I could help out
> with this bug. I've
On 2016-07-25, Jonathan McDowell wrote:
> I propose instead a Buildinfo.xz (or gz or whatever) file, which is
> single text file with containing all of the buildinfo information that
> corresponds to the Packages list. What is lost by this approach are the
> OpenPGP signatures that .buildinfo
