[Rpm-maint] [rpm-software-management/rpm] Reproducible builds improvements (Discussion #2934)

Bernhard M. Wiedemann notifications at github.com
Thu Feb 29 11:18:11 UTC 2024


I'm always thinking about rebuild+compare as one operation.
In the Debian and Archlinux space there were also discussions about centralized collections of multiple rebuilder-results. Those are signed data containing "$rebuildername built $package $version and got output $hash".
That would work poorly with fuzzy-matching. It could work with a custom rpmhash tool, but how do you prove that it indeed covers all relevant bits? I don't like that and would rather see us reach bit-reproducible rpms (after delsign) that work with generic `sha256sum`.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/2934#discussioncomment-8629486
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/repo-discussions/2934/comments/8629486 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240229/3b85986f/attachment.html>


More information about the Rpm-maint mailing list