Web lists-archives.com

Re: [yay for broken usage of was: in the Subject header]




On Thu, 2018-01-11 at 01:06:06 +0100, Johannes Schauer wrote:
> Quoting Philipp Kern (2018-01-11 00:20:17)
> > Why is it making comparing packages with each other difficult?
> 
> What I meant here was what I mentioned elsewhere in this thread. We can check
> whether two binary packages built with a different set of build profiles active
> are actually the same by using the tools from the reproducible builds project.
> And the easiest way to do the comparison is to compare their hashes. If the
> build profile would be included, then comparing the packages would be made more
> difficult.

Or IOW:

  cmp a.deb b.deb

vs

  dpkg-deb -R a.deb a
  dpkg-deb -R b.deb b
  sed -i -e '/^Built-For-Profiles/d' a/DEBIAN/control
  sed -i -e '/^Built-For-Profiles/d' b/DEBIAN/control
  diff -Naur a b

While then not comparing the actual .deb, for any other suspicious
members, difference in format, strange padding, etc, or control.tar
metadata changes.

> > At the same time for a stable port the archive can ensure that the build
> > profile was actually the default one (or accept divergences with a conscious
> > decision, like using NEW or BYHAND).
> 
> The archive can already do this check by investigating the buildinfo file that
> was uploaded together with the binary packages.

Actually this information is also readily available in the .changes
file which DAK is already parsing.

Thanks,
Guillem