rebuilder-snapshot.debian.net

• This is work-in-progress.
  Eventually this should work as designed! Please read on and have some more patience until we announce it's usable.
• rebuilder-snapshot.debian.net/storage/ has all the .deb files needed to rebuild all ^(*) of Debian as of today.
  There are no Packages.xz however, and using it should rely on strong hashes instead of https.
  (*) see below for current limitations on available archs and suites.
  
  • /storage/files
  • /storage/sha1
  • /storage/sha256
  • limited to these architectures: amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x
  • limited to these suites: bookworm trixie unstable experimental
    and to these too: bookworm-security bookworm-updates bookworm-proposed-updates bookworm-backports bookworm-backports-sloppy trixie-security trixie-updates trixie-proposed-updates
• Packages.xz files with strong hashes for all the packages provided here are available on snapshot.debian.org, which is also the place which provides source packages for all the binary packages cached and made available here.
• Documentation:
  • api contains the API documentation. To give an example:
    api/v1/package/autopoint/0.19.8.1-1
    api/v1/package/autopoint/0.19.8.1-1/all
    api/v1/sha1/64a823995249e2429a3f308d100c377134d145a1
  • README.md
  • USAGE.md
• stats and resource usage
• Source code:
  • https://salsa.debian.org/reproducible-builds/rebuilder-snapshot/
  • tracked issues
  • deprecated https://code.fe80.eu/lynxis/repro-debian/
• rebuilder-snapshot is not a replacement for snapshot.debian.org, it's rather meant to be a tailored frontend / cache to access that service. We still need snapshot.d.o and we still need to address it's issues, which have been summarized in #1050815 and #1031628, but also have been evident in #1029744, #1034000, #1012559, #979115, #969603…
• Already planned: non-free-firmware.
• Not planned: contrib and non-free, bullseye and older. bullseye and older are not planned mostly because of too many missing .buildinfo files. But also because before bookworm the archive was not as tidy as it is now. Kudos for that. contrib and non-free are not planned because a.) main is enough work already and b.) what's the point if sources are not available?
• How to use this? to be written, though due to issue #40 this is not usable yet.
• How does this work? to be written
• How can this data be trusted?
  • either via Packages.xz and InRelease(.gpg) files. For unstable the InRelease file is signed by a key in /usr/share/keyrings/debian-archive-keyring.gpg and contains the sha256 checksums of Packages(.xz), which then contain the sha256 checksum of a referenced .deb packages. For .deb files not contained in any current release a suiteable Packages file needs to be found via metasnap.debian.net. This is possible but no code exists yet.
  • and/or append only logs of package filenames, their sha256 checksum and a timestamp of the first Packages file that contained a file. This is possible (a continuation of metasnap.d.o?) but no code exists yet.
  • and/or by rebuilding packages (without verifying the build depends at all) and still getting 100% bit by bit expected results.
• Further feedback much appreciated! Either on #debian-reproducible on IRC, the issue tracker or however.

To infinity and beyond!

This page and the data served by rebuilder-snapshot.debian.net was last updated on Sun Jun 30 10:55:36 UTC 2024.

(c) 2023 Alexander Couzens (lynxis) <lynxis@fe80.eu>
(c) 2023 Holger Levsen (h01ger) <holger@layer-acht.org>