On Wed, Feb 01, 2023 at 08:40:46PM -0500, David A. Wheeler wrote: > Maybe call it "Ways to combine reproducible builds with signatures and other > metadata"? "other metadata" brings .buildinfo files^w^wSBOMs to my mind and indeed we have (at least) two concepts here, including the .buildinfo into the package, as Arch Linux does, and having a seperate .buildinfo file, like Debian does.
I've come to think that including the .buildinfo into the package is the better way (because the advantages outweight the disadvantages), contrary to what I thought in 2016 and later, but I don't see Debian changing this "any time soon", sadly. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ None of us are safe until all of us are safe. Vaccinate the world.
signature.asc
Description: PGP signature