[rb-general] Core Debian reproducibility: how close?
Vagrant Cascadian
vagrant at debian.org
Tue Oct 23 20:01:19 CEST 2018
On 2018-10-23, "David A. Wheeler" <dwheeler at dwheeler.com> wrote:
> How close is the core of Debian to being reproducibly built? By core I
> mean the packages that you always have to install no matter what.
There are a few charts that show the reproducibility of particular sets
of packages:
https://tests.reproducible-builds.org/debian/buster/amd64/pkg_set_essential.html
https://tests.reproducible-builds.org/debian/buster/amd64/pkg_set_required.html
https://tests.reproducible-builds.org/debian/buster/amd64/pkg_set_popcon_top1337-installed-sources.html
There are more package sets listed at the bottom, with all the
thumbnailed charts:
https://tests.reproducible-builds.org/debian/buster/index_suite_amd64_stats.html
These numbers are all theoretical, as they are not testing against
binary packages actually in the archive, it's just rebuilding the
sources twice with variations added.
It also doesn't cover reproducible package installation, in which
maintainer scripts might do things unreproducibly.
> The Debian web page on this shows the progress on packages, which is
> impressive, but it doesn't give any sense of how many of the most
> important packages are reproducible, or whether the packages that are
> actually delivered currently are reproducible using the current
> deployed tools.
The current official packages in the archive don't have sufficient
public infrastructure to reproduce the builds (e.g. .buildinfo files),
and even with the .buildinfo files, there is some work to be done on the
tooling to reproduce the builds:
https://bugs.debian.org/774415
https://github.com/stevenc99/reprobuild
> I don't care if the build directories have to be in fixed places; with
> containers and chroots that is easy.
I've targeted only buster links above, as that doesn't test build path
variation.
Hope that helps!
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20181023/84e35037/attachment.sig>
More information about the rb-general
mailing list