[rb-general] Core Debian reproducibility: how close?

Sat Oct 27 21:52:44 CEST 2018

in-toto will help with the verification part (whether by end users or the
distro).  :)

Justin

On Sat, Oct 27, 2018 at 11:28 AM Vagrant Cascadian <vagrant at debian.org>
wrote:

> On 2018-10-23, Vagrant Cascadian <vagrant at debian.org> wrote:
> > On 2018-10-23, David A. Wheeler wrote:
> >> On Tue, 23 Oct 2018 11:01:19 -0700, Vagrant Cascadian <
> vagrant at debian.org> wrote:
> >>> These numbers are all theoretical, as they are not testing against
> >>> binary packages actually in the archive, it's just rebuilding the
> >>> sources twice with variations added.
> >>
> >> That progress is impressive, especially since this is a hard problem.
> >>
> >> However, I want to know *actual* not theoretical.
> >
> > It's unfortunately missing key infrastructure to do so... so, if you
> > need hard numbers, the harsh reality might very well be 0% reproducible.
> ...
> >> That helps, but it looks like there are still some infrastructure
> problems that
> >> are preventing Debian (even the required subset) from being reproducible
> >> "in real life".  The issues seem to have been in the works since 2015.
> >> Holgar appears to be soldiering on (yay!), and I know Chris Lamb's been
> working
> >> on this (big congrats!).  But I leave reading that trail still confused.
> ...
> > Then we could move on to the before-mentioned tooling that actually uses
> > the .buildinfo files to attempt to reproduce builds in the archive. And
> > then we could actually test against packages in the archive, and start
> > providing real-world numbers.
>
> Ok, I've found at least one package in the required set, with three
> distinct .buildinfo files that converged on the same .deb:
>
>
> https://buildinfo.debian.net/api/v1/buildinfos/checksums/sha1/c262c9be86f949bbab7c3cbf21db32204f08cc67
>
> The checksum on all three .buildinfo files matches the dash package
> currently in the Debian archive.
>
>
> We're now officially beyond mere theory!
>
>
> It is, of course, an ordeal for an end-user to actually
> verify... basically it amounted to downloading the package from the
> archive, computing the sha1sum (since the Packages files only contain
> MD5 (shudder) and sha256 (not yet supported by the buildinfo.debian.net
> api)), and then checking for matching .buildinfo files at the above URL.
>
>
> live well,
>   vagrant
> _______________________________________________
> rb-general at lists.reproducible-builds.org mailing list
>
> To change your subscription options, visit
> https://lists.reproducible-builds.org/listinfo/rb-general.
>
> To unsubscribe, send an email to
> rb-general-unsubscribe at lists.reproducible-builds.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20181027/276009cc/attachment.html>