[Reproducible-builds] Ideas
Stéphane Glondu
glondu at debian.org
Tue Feb 4 12:55:55 UTC 2014
Le 04/02/2014 10:19, Jérémy Bobbio a écrit :
> I'm not interested in that. I can again quote the same bug$ log
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719844#37
>
> My ideal scenario is the following:
>
> 1. I retrieve the .changes file for a package.
> 2. I verify the signature on the .changes.
> 3. I give the .changes to a "rebuild" tool.
> 4. The checksum of the .deb listed in the original .changes file
> and the checksum of the .deb I've just built should match.
>
> I even would like to compare the rebuilt .deb not only by one source,
> but by several.
>
> I would rather avoid to have a `dpkg-deb --compare` as you suggested
> because comparing signed checksums is much easier that to transfer
> `.deb` all around between multiple independent builders.
Instead of `dpkg-deb --compare`, we could envision a `dpkg-deb
--checksum`, that would give the cheksum of the "relevant" bits, and put
it in the .changes files. This checksum would need to be easily
computable using standard tools (i.e. not dpkg itself, like what Hilko
proposed).
However, if programs can act differently based on the malleable part of
the packages (and they can for timestamps), it would partially undermine
the original goal...
Cheers,
--
Stéphane
More information about the Reproducible-builds
mailing list