Re: Use of .buildinfo in buster
- Date: Tue, 25 Jul 2017 00:56:05 +0300
- From: Adrian Bunk <bunk@xxxxxxxxxx>
- Subject: Re: Use of .buildinfo in buster
On Mon, Jul 24, 2017 at 09:46:27PM +0100, Chris Lamb wrote:
> Related to this is how we show/expose reproducibility to end users, if it
> all. Some discussion of sorts is happening on #863622 (src:apt).
How is this supposed to work for DSAs?
Do you want to claim a security update is reproducible without checking,
or do you want to delay DSAs until the packages have been reproduced
for all architectures?
Why should this be a per-package user-visible issue instead of aiming
at giving guarantess for all packages in main?
There is also a certain amount of WTF:
This would make a relatively hard to exploit issue appear more
worrisome to a user than installing a browser engine with zero
security support and more than 100 unfixed CVEs.
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed