Web lists-archives.com

Re: Use of .buildinfo in buster

On Mon, Jul 24, 2017 at 09:46:27PM +0100, Chris Lamb wrote:
> Related to this is how we show/expose reproducibility to end users, if it
> all. Some discussion of sorts is happening on #863622 (src:apt).

How is this supposed to work for DSAs?
Do you want to claim a security update is reproducible without checking,
or do you want to delay DSAs until the packages have been reproduced 
for all architectures?

Why should this be a per-package user-visible issue instead of aiming
at giving guarantess for all packages in main?

There is also a certain amount of WTF:
This would make a relatively hard to exploit issue appear more
worrisome to a user than installing a browser engine with zero
security support and more than 100 unfixed CVEs.

> Regards,



       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed