Friends -
On Wed, Apr 03, 2024 at 05:21:40AM +0300, Adrian Bunk wrote:
> It is documented that auto-generated Github tarballs for the same tag
> and with the same commit ID downloaded at different times might have
> different checksums.
I've run into this statement before. It's annoyingly
On Wed, Apr 03, 2024 at 02:31:11AM +0200, kpcyrd wrote:
>...
> I figured out a somewhat straight-forward way to check if a given `git
> archive` output is cryptographically claimed to be the source input of a
> given binary package in either Arch Linux or Debian (or both).
For Debian the proper
Hello,
I'm going to keep this short, I've been writing a lot of text recently
(which is quite exhausting, on top of my dayjob and all the code I wrote
today afterwards. Apologies if you're still waiting for a reply in one
of the other threads).
I figured out a somewhat straight-forward way
James Addison wrote that local storage can contain errors. I agree.
> My guess is that we could get into near-unsolvable philosophical territory
> along this path, but I think it's worth being skeptical of the notions that
> local-storage is always trustworthy and that the network should always
James Addison wrote:
> None of the remaining thirty-or-so (and in fact, none of the 66 updated so
> far)
> are usertagged both 'buildpath' and 'toolchain'.
>
> I would say that a few of them _are_ 'toolchain packages' -- mono,
> binutils-dev
> and a few others -- but for these bugs the
Hi John,
On Fri, 29 Mar 2024 at 19:29, John Gilmore wrote:
>
> kpcyrd wrote:
> > 1) There's currently no way to tell if a package can be built offline
> > (without trying yourself).
>
> Packages that can't be built offline are not reproducible, by
> definition. They depend on outside events
Thanks, Chris,
On Sun, 31 Mar 2024 at 13:01, Chris Lamb wrote:
>
> Hi James,
>
> > Approximately thirty are still set to other severity levels, and I plan to
> > update those with the following adjusted messaging […]
>
> Looks good to me. :)
>
> Completely out of interest, are any of those 30
