Guillem Jover: > On Mon, 2016-11-28 at 22:00:32 +0100, Ximin Luo wrote: >> It would be good to be able [..] >> to do a binary build locally, but only upload the source package >> *and* the buildinfo file. > > This was the intention from the beginning. But when I mentioned this > on IRC the other day, Ansgar said ftp-masters might not be too happy > about accepting buildinfo files referencing artifacts that we might > not be able to generated. Because there's no distinction between > packages that are reproducible and ones that are not. > >> This was one idea we had near the beginning of the R-B project. The >> idea being developers could do this, then the buildds could try to >> match what they built, as an extra check. Another advantage is that >> the upload itself would be reduced in size. > > Those are the reasons I gave to Ansgar, but I'd like his and > ftp-masters input on this. >
OK, hopefully I can also argue in favour of it: Indeed there's no distinction between packages that are reproducible, vs ones that are not. But this is the case even if we don't have source+buildonly-only uploads, and stick to binary or source-only uploads as in the current situation. That is - if ftp-masters don't accept source+buildinfo-only uploads, and only allow source-only uploads, then there's *already* no indication whether the package is reproducible or not. People can certainly upload unreproducible packages and these would be accepted into the archive today. What source+buildinfo-only .changes files do is, it allows the archive infrastructure to attempt a reproduction itself, since it has some knowledge of the result is "supposed" to be. If the reproduction fails, then it can either: 1. accept the upload (the current behaviour) 2. accept the upload but warn the uploader that it was unreproducible, and that the actually-built binaries are being used instead 3. reject the upload I guess (3) would require much much more changes to the archive infrastructure and we're not even sure if we want that. However (2) would also be a significant improvement towards reproducibility, and is feasible to achieve - this wishlist feature being the first steps towards achieving that. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git
