Hi, Quoting Daniel Kahn Gillmor (2016-11-13 21:44:22) > It is definitely not what most of us initially expected, but it is > actually what we want. > > i look at it this way: > > * Ideally, the generated binary packages are reproducible *even when > the build environment changes*. For example, I build a package as > the user "dkg" on machine "alice" in path /home/dkg/src/foo, and you > build it as "lamby" on machine "bob" in path > /home/lamby/work/foo/foo, and we should get the same outcome. > > * The buildinfo file documents things that *might* influence the build, > but it also documents things that *should not* influence the build. > Two differing buildinfo files that produced the same output > effectively say "even when the build environment varies in the way > that these two do, the package is still reproducible"
another thing to think about: Thinking "lets remove everything that should not influence the build from the buildinfo" is futile in the first place. The most obvious example is the "Installed-Build-Depends" field. The build output should probably not depend on many of the Essential:yes packages like bash, sed or gzip. Still we list these packages in the .buildinfo. In fact, we cannot know whether or not the build is independent of the bash, sed or gzip package versions (or architectures) if we would *not* list them. So look at it this way: By listing lots of extra information like package versions, build time and build path we store information that we can later use to identify whether or not the artifacts produced by a bit are independent from them. If we have two buildinfo files with different build time but the same hashes, then we can easily conclude that apparently the build is invariant of the time. If we have two buildinfo files with different dpkg versions but the same hashes then we can conclude that apparently, these two dpkg versions have the same effect on the build. Without listing this info, we cannot make this inferences. Of course this does not mean that we include *all* the happenstance information in a buildinfo file. We don't include the username or the specs of the machine the build was run on. But we still include the interesting information. What constitutes "interesting" is of course up to debate but by the arguments that were brought up in earlier mails, I'd argue that datapoints like build date and build path are still "interesting" pieces of information to keep around for now. Thanks! cheers, josch
signature.asc
Description: signature
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
