Holger Levsen writes ("Re: tag2upload service architecture and risk assessment - draft v2"): > On Wed, Aug 28, 2019 at 05:07:00PM +0100, Ian Jackson wrote: > > In my proposal the source package is reproducible (in the > > "reproducible builds" sense) from the uploader's signed git tag. > > i'm confused. 'reproducible builds' is about creating bit by bit > identical binaries from a given source. > > if you are talking about re-creating bit by bit identical source > packages, that's fine, but nothing within the scope of reproducible > builds.
Sorry for the confusion. When I wrote reproducible (in the "reproducible builds" sense) I wasn't saying that this is somehow part of, or within the scope of, the reproducible builds project. I was just clarifying what the word "reproducible" meant in my sentence: I am using the word "reproducible" the same way that the reproducible builds project uses it - ie I am borrowing that definition of reproducible. (That's what "X (in the Y sense)" means.) I was indeed clarifying that I do mean bit-by-bit identical. In this case, bit-by-bit identical dsc (apart from the signature of course), from (i) git tag (ii) _source.buildinfo containing tools versions etc. > also, as a side note, we have tried to reproduce bit by bit identical > source packages, failed and moved on. it didnt seem trival when we > tried. I remember some of those discussions. I'm pretty sure it's possible in my context, although there are as you say some difficulties with it in the wider reproducible builds context. I hope that helps. Thanks, Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.