On Wed, Jun 21, 2017 at 09:28:00AM +0000, Ximin Luo wrote:
> Adrian Bunk:
> > On Tue, Jun 20, 2017 at 02:47:20PM -0400, Daniel Kahn Gillmor wrote:
> >> Hi Ian--
> >>
> >> On Tue 2017-06-20 18:10:49 +0100, Ian Jackson wrote:
> >>> A .buildinfo file is not useful for a source-only upload which is
> >>> veried to be identical to the intended source as present in the
> >>> uploader's version control (eg, by the use of dgit).
> >>>
> >>> Therefore, dgit should not include .buildinfos in source-only uploads
> >>> it performs. If dgit sees that a lower-layer tool like
> >>> dpkg-buildpackage provided a .buildinfo for a source-only upload, dgit
> >>> should strip it out of .changes.
> >>
> >> I often do source-only uploads which include the .buildinfo.
> >>
> >> I do source-only uploads because i don't want the binaries built on my
> >> own personal infrastructure to reach the public. But i want to upload
> >> the .buildinfo because i want to provide a corroboration of what i
> >> *expect* the buildds to produce.
> >> ...
> >
> > If you expect that, then your expectation is incorrect.
> >
> > If you upload a package right now, chances are the buildds will use both
> > older versions of some packages [1] and more recent versions of some
> > other packages [2] than what you used.
> >
>
> I think what dkg means here (and what we the R-B team has wanted for ages and
> is working towards), is not that the buildds use the *versioned dependencies*
> listed in the buildinfo, but produce the same *output hashes* as what's in
> the buildinfo.
>
> The point being specifically that the dependencies used could change, but if
> the output remains constant, we're more assured that the build was done
> properly and reproducibly.
How is that supposed to work when the compiler is not exactly identical?
As an example, gcc-6 6.3.0-18 and gcc-6 6.3.0-19 will likely produce
different output for every non-trivial piece of software.
The reason is that every new gcc upload usually contains whatever
bugfixes are on the upstream branch.
> X
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
