[Rpm-maint] [rpm-software-management/rpm] Reproducible builds improvements (Discussion #2934)

Bernhard M. Wiedemann notifications at github.com
Wed Feb 28 13:25:59 UTC 2024


keszybz wrote:
> any party can recreate copies of the artifacts that are identical except for the signatures and parts of metadata

I don't think it is a good idea to exclude metadata. One benefit that you can only get with bit-identical reproducibility is that you can list the one and only correct hash value of the build result. (that also works with signed rpms + delsign).
However with weaker variants, you always need another full rpm to compare to. I.e. for our 16k packages, instead of publishing a list of 16k hashes you then need to keep the full archive (100GB) to allow people to reproduce any package.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/2934#discussioncomment-8618492
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/repo-discussions/2934/comments/8618492 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240228/e040bd6c/attachment.html>


More information about the Rpm-maint mailing list