Received: from mail-pl1-f196.google.com (mail-pl1-f196.google.com [209.85.214.196])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 199E0781B6C
	for <~alpine/devel@lists.alpinelinux.org>; Thu,  2 Jan 2020 20:22:17 +0000 (UTC)
Received: by mail-pl1-f196.google.com with SMTP id c13so18237255pls.0
        for <~alpine/devel@lists.alpinelinux.org>; Thu, 02 Jan 2020 12:22:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=8rR/ZIBLDchHu88NI9Ehv0v+Gq998JA4dE8CEkffu1g=;
        b=hyj1H12SKB5IZ8Kx+BB9VvgNGAWU6w8Yy1ehdX8GDGUZfhDzgivCvthb4KasvWTj2g
         KumTQ66c+2mvf/j7dMRJxlugkbc7FZY4UgrHv8KosGKS6TJ7vyBWYLC8oYMiV54conUd
         HFM9i06qs39clO6vIiQgIyCyp7KADMfyfpx8NtQaZHCg0O5fV+MHLWl+0Ow4lLIPmcFz
         9VdlZz8lJFdqASPTyfIm1tRnPAcQRT1ftvCY0x3C0+DFKFLwhL00WMrQvsmD9opqoZmv
         bdoXh5uqeHzhhKInD3RFs1QLNtWWwwJ89QRvlYkvZBIal4Tjjrkw2Rjb99Pz5/0FiIxC
         Xv9g==
X-Gm-Message-State: APjAAAVXXZ6EcNMDt1LKBKVRPN18UyKfAIawkXxIGdregZzoQ+cEtipc
	vBcXD/jV02vJig0VS74vmtU=
X-Google-Smtp-Source: APXvYqzV9cDz5/Kk5MD0lUWRkdAlK1CtoD+NMUDItMN4RATFnwS9dQa9/1SH6PtiL9jZ8FrvOsp//Q==
X-Received: by 2002:a17:90a:1a50:: with SMTP id 16mr22458348pjl.14.1577996535196;
        Thu, 02 Jan 2020 12:22:15 -0800 (PST)
Received: from vostro.lan (2001-44b8-01b4-a600-3641-5dff-fe8b-7d4c.static.ipv6.internode.on.net. [2001:44b8:1b4:a600:3641:5dff:fe8b:7d4c])
        by smtp.gmail.com with ESMTPSA id q10sm61690145pfn.5.2020.01.02.12.22.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 02 Jan 2020 12:22:14 -0800 (PST)
Date: Thu, 2 Jan 2020 22:22:07 +0200
From: Timo Teras <timo.teras@iki.fi>
To: Kevin Daudt <kdaudt@alpinelinux.org>
Cc: Rasmus Thomsen <oss@cogitri.dev>, ~alpine/devel@lists.alpinelinux.org
Subject: Re: new package format and repository layout changes
Message-ID: <20200102222207.6808c028@vostro.lan>
In-Reply-To: <20191230180430.GE846450@alpha>
References: <20191230145542.1a7ca9cf@vostro>
	<11500e3dc7d7da1a3d6acf4e1d855906630f6c31.camel@cogitri.dev>
	<20191230175446.GD846450@alpha>
	<34cd93c2ddfb985c29b3b74862c9e71945a34954.camel@cogitri.dev>
	<20191230180430.GE846450@alpha>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Mon, 30 Dec 2019 19:04:30 +0100
Kevin Daudt <kdaudt@alpinelinux.org> wrote:

> On Mon, Dec 30, 2019 at 05:59:17PM +0000, Rasmus Thomsen wrote:
> > On Mon, 2019-12-30 at 18:54 +0100, Kevin Daudt wrote:  
> > > On Mon, Dec 30, 2019 at 02:12:25PM +0000, Rasmus Thomsen wrote:  
> > > > Hello,
> > > >   
> > > > > 4. version handling
> > > > > 
> > > > > Sort of unrelated, but something I'd like to also bring up
> > > > > once again.
> > > > > Since now that if we do proper distribution / branch tracking.
> > > > > And
> > > > > the
> > > > > package downgrades happen at times. I'm wondering if we should
> > > > > make
> > > > > the
> > > > > package version "informative" only. And use the build_time to
> > > > > decide
> > > > > which package is the "preferred version". In most cases it is
> > > > > the latest built package from the repository we want to be
> > > > > using.
> > > > > 
> > > > > Alternative would be introduce some sort of concept similar to
> > > > > debian/pacman package "epoch".
> > > > > 
> > > > > Though another way to look at it that the buildtime is the
> > > > > automatically generated epoch number. :)  
> > > > 
> > > > Having the buildtime as automatically generated epoch number
> > > > sounds great to me, I don't see any situation where we'd have a
> > > > package with a
> > > > 'fresher' buildtime that isn't meant to replace the previous
> > > > version of
> > > > that package and that'd make downgrades work automagically.
> > > 
> > > Wouldn't build-time timestamps interfere with reproducable
> > > builds? A better option would be to use commit timestamps, so
> > > that it's at least
> > > stable.  
> > 
> > Hm, the contents of the package would still be reproduciable, so I'm
> > not sure if that'd be actually be much of a problem, but using the
> > commit timestamps sounds good too - hadn't thought about that! :)
> 
> Reproducable builds is about the entire package, not just about the
> contents. abuild was already adjusted to account for this, although
> some changes had to be reverted due to issues.

That would probably then mean that we don't include build time in the
meta data either. Or use $SOURCE_DATE_EPOCH.

This probably implies that we need care on doing the signatures too.
E.g. ECDSA often has by defaulta random element in the signature
(there's a deterministic mode now too, but not always the default).

Timo