Comments (5)
lamby
commented on July 3, 2024
Wouldn't we get this "for free" once we simply push the archive ones to buildinfo.debian.net?
from buildinfo.debian.net.
vagrantc
commented on July 3, 2024
Wouldn't we get this "for free" once we simply push the archive ones
to buildinfo.debian.net?
We could manually compare them, but the idea is to have a way to
identify which binaries in the official Debian archive are correlated
with which known .buildinfo files.
Currently, there's no tracking in buildinfo.debian.net of anything
other than what's published in .buildinfo files; this would at least
require an extra data source (e.g. Packages files from the archive)
and tying that to the corresponding .buildinfo files.
I suppose at import time, you could flag those .buildinfo files in
some special way...
The .buildinfo files that produced matching binary packages in the
Debian archive are, at least to me, more interesting than the ones
that are arbitrary builds from the test infrastructure. So it would be
nice if those could be flagged somehow in the UI and API.
Maybe some additional service would be a more appropriate place to
implement a correlation between in-archive Packages files and
.buildinfo files uploaded to buildinfo.debian.net.
from buildinfo.debian.net.
lamby
commented on July 3, 2024
Tthe .buildinfo files are signed by the buildds (which we are recording in buildinfo.debian.net) so unless I'm missing someting we would simply mark these set of signatures as "official Debian" and use that for a comparison; no need for this Packages files matching AIUI?
from buildinfo.debian.net.
vagrantc
commented on July 3, 2024
the .buildinfo files are signed by the buildds (which we are
recording in buildinfo.debian.net) so unless I'm missing someting we
would simply mark these set of signatures as "official Debian" and
use that for a comparison; no need for this Packages files matching
AIUI?
Sure, if you have a set of known buildd keys and ways of keeping them
updated (and the historically valid keys as well), that would be a
mostly ok assumption.
It wouldn't catch binary uploads from developers, which is still
unfortunately all-too-common practice. Marking all developer-signed
.buildinfos as "official Debian" wouldn't be appropriate, since
developers may upload a signed .buildinfo with a source-only upload,
which doesn't necessarily match the binaries in the archive.
from buildinfo.debian.net.
lamby
commented on July 3, 2024
wfm
from buildinfo.debian.net.
Related Issues (20)
- Compress .buildinfo files HOT 1
- Store original .buildinfo files on S3? HOT 1
- report stronger checksums on web interface
- Add support for .buildinfo 1.0 ("Only Format: 0.2 is supported")
- Parses all building files as having a source version 1.0 regardless of actual version HOT 1
- certificate on buildinfo.debian.net expired HOT 1
- Include .buildinfo files from ftp.debian.org HOT 2
- API to fetch specific .buildinfo files for a certain package/arch/builder HOT 11
- ability to search for buildinfo's by hash HOT 5
- please default to showing sha256 hashes HOT 7
- .onion service
- Cache expensive query on homepage
- Move to salsa.debian.org HOT 1
- API endpoint for getting all new buildinfos since a particular timestamp
- Rejecting submission: Could not determine GPG uid HOT 8
- Batch uploads/import HOT 1
- Duplicate submissions are accepted HOT 2
- add a way to query for .buildinfo files from official debian builds only HOT 1
- Strategy for large number of queries HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from buildinfo.debian.net.