rebuilder-snapshot.debian.net
-
This is work-in-progress.
Eventually this should work as designed! Please read on and have some more patience until we announce it's usable.
-
rebuilder-snapshot.debian.net/storage/
has all the .deb files needed to rebuild
all (*) of Debian
as of today.
There are no Packages.xz however, and using it should rely on strong hashes instead of https.
(*) see below for current limitations on available archs and suites.
-
/storage/files
-
/storage/sha1
-
/storage/sha256
-
limited to these architectures: amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x
-
limited to these suites: bookworm trixie unstable experimental
and to these too: bookworm-security bookworm-updates bookworm-proposed-updates bookworm-backports bookworm-backports-sloppy trixie-security trixie-updates trixie-proposed-updates
-
Packages.xz files with strong hashes for all the packages provided here are available on
snapshot.debian.org, which is also the place
which provides source packages for all the binary packages cached and made available
here.
- Documentation:
-
/stats and resource usage
-
Source code:
-
rebuilder-snapshot is not a replacement for snapshot.debian.org,
it's rather meant to be a tailored frontend / cache to access that service.
We still need snapshot.d.o and we still need to address it's issues,
which have been summarized in #1050815
and #1031628,
but also have been evident in #1029744,
#1034000,
#1012559,
#979115,
#969603…
-
Already planned: non-free-firmware.
-
Not planned: contrib and non-free, bullseye and older. bullseye and older are not planned mostly because of too many missing .buildinfo files. But also because before bookworm the archive was not as tidy as it is now. Kudos for that. contrib and non-free are not planned because a.) main is enough work already and b.) what's the point if sources are not available?
-
How to use this? to be written, though due to issue #40 this is not usable yet.
-
How does this work? to be written
-
How can this data be trusted?
-
either via Packages.xz and InRelease(.gpg) files. For unstable the InRelease file is signed by a key in
/usr/share/keyrings/debian-archive-keyring.gpg
and contains the sha256 checksums of Packages(.xz), which then contain the sha256 checksum of a referenced .deb packages. For .deb files not contained in any current release a suiteable Packages file needs to be found via metasnap.debian.net. This is possible but no code exists yet.
-
and/or append only logs of package filenames, their sha256 checksum and a timestamp of the first Packages file that contained a file. This is possible (a continuation of metasnap.d.o?) but no code exists yet.
-
and/or by rebuilding packages (without verifying the build depends at all) and still getting 100% bit by bit expected results.
-
Further feedback much appreciated! Either on #debian-reproducible on IRC, the issue tracker or however.
To infinity and beyond!
This page and the data served by rebuilder-snapshot.debian.net was last updated on Sat Feb 10 11:32:35 UTC 2024.
(c) 2023 Alexander Couzens (lynxis) <lynxis@fe80.eu>
(c) 2023 Holger Levsen (h01ger) <holger@layer-acht.org>