ers, and almost conflicts with Qubes OS
Summit :(
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
signature.asc
Description: PGP signature
trfs snapshots (zfs or xfs are other likely candidates
> for filesystem-level snapshots). It is working better than I expected!
Isn't this more or less what has been tried few times before, and it
works only until you load it with years worth of data?
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
signature.asc
Description: PGP signature
e), but
due to upstream issues, Fedora jobs are allowed to fail.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
signature.asc
Description: PGP signature
ly maintainable to me,
> at least in theory, but maybe I am just naive and unimaginative... :)
That's interesting approach, I guess similar could also be done with
other build tools (like mock under Fedora). But personally, I find main
value in reprotest that it already has many variation
t; > just any form of "another archive" here. IMO it must be an extremely
> > simple and easily auditable format without any unnecessary features
> > and complexity -- not simply a common one like ZIP or TAR -- to be
> > considered suitable for this use case.
>
> I don't know of any existing widely-used archive format with these properties.
> In practice, everyone uses ZIP or TAR. I can only start with the current
> state.
> I doubt a new archive format would get a lot of traction
> (but I'd be happy to be proven wrong).
>
> --- David A. Wheeler
>
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
signature.asc
Description: PGP signature
tripped out for
> reproducibility comparison.
>
> Excluding some bits and verifying the rest adds complication to the
> verification process, and thus opportunities for errors, and I believe
> at least once resulted in incorrect results due to bugs in the
> verification process...
Another issue with this approach is embedding one artifact in another.
If, for example an ELF binary (with GitBOM note included) is then
included in some container (archive, filesystem image - like live ISO
image), then the comparing process gets _much_ more complex.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
signature.asc
Description: PGP signature
a info already: buildinfo
file. And I think that should be kept separated.
In fact, for the sole verification purpose, IMO just source hash should
be enough (if we trust the hash we use), but for debugging purposes it
may be convenient to name the package and version anyway.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
signature.asc
Description: PGP signature
that want to do this as well.
>
> I wonder if we could integrate these additional fields into the
> environment portion of the link metadata to have the best of both
> worlds...
I would also like to know how this new format relates to already
existing and working in-toto approach. Is there