Jonathan McDowell: > On Wed, Dec 07, 2016 at 11:00:00AM +0000, Ximin Luo wrote: >> Jonathan McDowell: >>> I was under the impression that each set of binary artefacts from a >>> build would be accompanied by a single buildinfo file describing the >>> environment used. This would be signed by the original uploader, and >>> then there would be the possibility of further people attesting to >>> that pairing of buildinfo + binaries, rather than providing an >>> entirely separate set of buildinfo (+sig) information that produces >>> the same binary. >>> >>> Is there a requirement that the archive is capable of storing >>> multiple buildinfo files, rather than just multiple buildinfo >>> signatures, for a given set of binary artefacts? >>> >> >> Yes, buildinfo files are expected to be different, even for multiple >> builders that successfully reproduced the same binary hashes. The >> Binary: fields would be the same, but the other fields might be >> different. This is a good thing from a security perspective. >> >> For more details on why you can read the draft here: >> >> https://anonscm.debian.org/cgit/reproducible/buildinfo-spec.git/tree/notes/buildinfo.rst > > My reading of that is that ideally buildinfo files would describe T, the > minimal information required to rebuild reproducibly. However > limitations in knowing exactly what T is for a particular package mean > that you currently record U', a superset of T, and that by recording > multiple of these you hope to be able to converge towards T. > > I'm not sure this argues for being able to support multiple sets of > buildinfo information for a single set of binary artefacts within the > context of the Debian archive. >
Sorry, I did not read your previous email properly. Your original statement was correct - for now, it is acceptable for the Debian FTP to store only one buildinfo file per binary artefact. However note that there will have to be multiple buildinfo files per *source package* in all cases (at least one per arch), because different build machines build those, and will have different Build-Depends installed. Separately regarding the ECC point, I don't think we can assume that at this time because DDs still have non-ECC signatures, and are still doing binary uploads with buildinfo files that we want to store. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git _______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds