On Thu, Dec 08, 2016 at 09:58:00AM +, Ximin Luo wrote:
[Signature field for build-info]
> If we go down this route (and it's looking pretty good IMO) then I
> agree that we don't need to store the binary hashes in Packages.gz.
> But we should store a hash of each Buildinfos.xz in the Release
On Wed, Dec 07, 2016 at 11:00:00AM +, Ximin Luo wrote:
> Jonathan McDowell:
> > I was under the impression that each set of binary artefacts from a
> > build would be accompanied by a single buildinfo file describing the
> > environment used. This would be signed by
On Tue, Dec 06, 2016 at 06:21:09PM -0500, Daniel Kahn Gillmor wrote:
> I'd be wary about this "multiple such fields" bit. it seems likely that
> different buildinfo files will not match each other, even if the
> *output* is reproducible. This is because buildinfo files can capture
> some things
On Tue, Dec 06, 2016 at 09:24:20PM +, Holger Levsen wrote:
> On Mon, Nov 14, 2016 at 02:57:00PM +, Ximin Luo wrote:
> > This email is a summary of some discussions that happened after the
> > last post to bug #763822, plus some more of my own thoughts and
> > reasoning on the topic.
>
> I
On Sun, Aug 21, 2016 at 04:01:00PM +, Ximin Luo wrote:
> Jonathan McDowell:
> > On Sat, Aug 20, 2016 at 03:13:00PM +, Ximin Luo wrote:
> >> Note that the builder is a *distinct entity* from the distribution.
> >> It's important to keep the *original* signature by
On Sat, Aug 20, 2016 at 03:13:00PM +, Ximin Luo wrote:
> Jonathan McDowell:
> > Having been impressed by the current status of reproducible builds
> > and the fact it looks like we're close to having the important
> > pieces in Debian proper, I have started to have a lo