deb-buildinfo(5) dpkg suite deb-buildinfo(5)

deb-buildinfo - Debian build information file format

filename.buildinfo

Each Debian source package build can record the build information in a .buildinfo control file, which contains a number of fields in deb822(5) format.

Each field begins with a tag, such as Source or Binary (case insensitive), followed by a colon, and the body of the field (case sensitive unless stated otherwise). Fields are delimited only by field tags. In other words, field text may be multiple lines in length, but the installation tools will generally join lines when processing the body of the field (except in case of the multiline fields Binary-Only-Changes, Installed-Build-Depends, Environment, Checksums-Md5, Checksums-Sha1 and Checksums-Sha256, see below).

The control data might be enclosed in an OpenPGP ASCII Armored signature, as specified in RFC9580.

The name of the .buildinfo file will depend on the type of build and will be as specific as necessary but not more; the name will be:

for a build that includes any
otherwise for a build that includes all
otherwise for a build that includes source

The value of this field declares the format version of the file. The syntax of the field value is a version number with a major and minor component. Backward incompatible changes to the format will bump the major version, and backward compatible changes (such as field additions) will bump the minor version. The current format version is 1.0.
The name of the source package. If the source version differs from the binary version, then the source-name will be followed by a source-version in parenthesis. This can happen when the build is for a binary-only non-maintainer upload.
This folded field is a space-separated list of binary packages built. If the build is source-only, then the field is omitted (since dpkg 1.20.0).
This space-separated field lists the architectures of the files currently being built. Common architectures are amd64, armel, i386, etc. Note that the all value is meant for packages that are architecture independent. If the source for the package is also being built, the special entry source is also present. Architecture wildcards must never be present in the list.
Typically, this is the original package's version number in whatever form the program's author uses. It may also include a Debian revision number (for non-native packages). The exact format and sorting algorithm are described in deb-version(7).
 changelog-entry
This multiline field contains the concatenated text of the changelog entry for a binary-only non-maintainer upload (binNMU) if that is the case. To make this a valid multiline field empty lines are replaced with a single full stop (‘.’) and all lines are indented by one space character. The exact content depends on the changelog format.
 checksum size filename
These multiline fields contain a list of files with a checksum and size for each one. These fields have the same syntax and differ only in the checksum algorithm used: MD5 for Checksums-Md5, SHA-1 for Checksums-Sha1 and SHA-256 for Checksums-Sha256.

Note: The MD5 and SHA-1 checksums are considered weak, and should never be assumed to be sufficient for secure verification.

The first line of the field value (the part on the same line as the field name followed by a colon) is always empty. The content of the field is expressed as continuation lines, one line per file. Each line consists of space-separated entries describing the file: the checksum, the file size, and the file name.

These fields list all files that make up the build.

The name of the distribution this package is originating from.
The Debian architecture for the installation the packages is being built in. Common architectures are amd64, armel, i386, etc.
The date the package was built. It must be in the same format as the date in a deb-changelog(5) entry.
The release and version (in an unspecified format) of the kernel running on the build system. This field is only going to be present if the builder has explicitly requested it, to avoid leaking possibly sensitive information.
The absolute build path, which correspond to the unpacked source tree. This field is only going to be present if the vendor has allowed it via some pattern match to avoid leaking possibly sensitive information.

On Debian and derivatives only build paths starting with /build/ will emit this field.

 taint-reason-list
This folded field contains a space-separated list of non-exhaustive reason tags (formed by alphanumeric and dash characters) which identify why the current build has been tainted (since dpkg 1.19.5).

On Debian and derivatives the following reason tags can be emitted:

The system has a merged /usr via aliased directories (previously known as merged-usr-via-symlinks). This will confuse dpkg-query, dpkg-statoverride, dpkg-trigger, update-alternatives and any other tool using pathnames as keys into their databases, as it creates filesystem aliasing problems, and messes with the understanding of the filesystem that dpkg has recorded in its database. For build systems that hardcode pathnames to specific binaries or libraries on the resulting artifacts, it can also produce packages that will be incompatible with non-/usr-merged filesystems.
The system has configuration files under /usr/local/etc.
The system has header files under /usr/local/include.
The system has programs under /usr/local/bin or /usr/local/sbin.
The system has libraries, either static or shared under /usr/local/lib.
The system can execute cross built programs, either directly or via some emulation layer.

Since dpkg 1.21.10.

 package-list
The list of installed and configured packages that might affect the package build process.

The list consists of each package name, optionally arch-qualified for foreign architectures, with an exact version restriction, separated by commas.

The list includes all essential packages, packages listed in Build-Depends, Build-Depends-Arch, Build-Depends-Indep source control fields, any vendor specific builtin dependencies, and all their recursive dependencies. On Debian and derivatives the dependency builtin is build-essential.

For dependencies coming from the source control fields, all dependency alternatives and all providers of virtual packages depended on will be included.

 variable-list
The list of environment variables that are known to affect the package build process, with each environment variable followed by an equal sign (‘=’) and the variable's quoted value, using double quotes (‘"’), and backslashes escaped (‘\\’).

deb822(5), deb-changes(5), deb-version(7), dpkg-genbuildinfo(1).

2024-08-01 1.22.11