Bug#802241: #802241: dpkg: please store the hash of the installed .deb and allow to query it

[Guillem Jover]

Hi!

On Wed, 2018-06-06 at 23:40:54 +0000, Holger Levsen wrote:
> ping on this bug, you haven't replied to it yet and it's a blocker for
> "#774415 sbuild: please add the srebuild sbuild wrapper to reproduce builds"

Oh, had not noticed this was a blocker for anything sorry. And thought
the previous discussion on the list and on the bug was complete enough
for now. :)

> which is a rather important one to give users the means to easily
> reproduce Debian packages, which is a core feature of reproducible
> builds and which we would love to see for Buster…! 

Having reread the blocking bug, and the specific message where josch
says this one is a blocker (https://bugs.debian.org/774415#44), I
think this is actually an artificial blocker!

I think this specific bug should eventually be fixed, how, I don't
know yet. It would fix some rough edges and make life easier for apt
and other frontends.

But for the specific case in the reproducibility effort, I think even
if we fixed this tomorrow you would not be able to rely on it, because
it would require feeding the hashes for all pre-installed packages, as
David Kalnischkies already mentioned previously.

I say it's an artificial blocker, because it is based on the problem
faced while implementing the srebuild script to use the current
snapshot.d.o API. And I think that's your actual blocker. Fixing that
API would also mean you can use it right away independently of what's
already installed on the system and might be useful for other users
too. I think the fix would imply adding an API entry point based on
the name-version-arch tuple.

Thanks,
Guillem