On Wed, Feb 01, 2023 at 08:40:46PM -0500, David A. Wheeler wrote: > Maybe call it "Ways to combine reproducible builds with signatures and other > metadata"? "other metadata" brings .buildinfo files^w^wSBOMs to my mind and indeed we have (at least) two concepts here, including the .buildinfo into the package, as Arch Linux does, and having a seperate .buildinfo file, like Debian does.
I've come to think that including the .buildinfo into the package is the
better way (because the advantages outweight the disadvantages), contrary
to what I thought in 2016 and later, but I don't see Debian changing this
"any time soon", sadly.
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
None of us are safe until all of us are safe. Vaccinate the world.
signature.asc
Description: PGP signature
