[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#863622: apt: warn when installing packages that are not reproducible

Julian Andres Klode wrote:

> We'd need some hash or something to add to the lookup (unless the
> information comes from the same repo).

Oh, absolutely :)  In fact, my previous version of the patch did exactly
this, querying buildinfo.debian.net by hash of the file. This is actually
a lot cleaner in some respects than the current situation in that it
"solves" the issue you raised but we additionally don't have to work out
the source package name which is actually buggy in my proof-of-concept...

As it happens, and somewhat hilariously, the only hash I could find in
the Item class was MD5… *g*


>    There's also a reason for requiring reproducibility info
>    to be signed

Indeed.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-
Reply to: