[rb-general] Core Debian reproducibility: how close?

David A. Wheeler dwheeler at dwheeler.com
Tue Oct 23 20:39:34 CEST 2018

> On 2018-10-23, "David A. Wheeler" <dwheeler at dwheeler.com> wrote:
> > How close is the core of Debian to being reproducibly built? By core I
> > mean the packages that you always have to install no matter what.

On Tue, 23 Oct 2018 11:01:19 -0700, Vagrant Cascadian <vagrant at debian.org> wrote:
> There are a few charts that show the reproducibility of particular sets
> of packages:
>   https://tests.reproducible-builds.org/debian/buster/amd64/pkg_set_essential.html
>   https://tests.reproducible-builds.org/debian/buster/amd64/pkg_set_required.html
>   https://tests.reproducible-builds.org/debian/buster/amd64/pkg_set_popcon_top1337-installed-sources.html
> These numbers are all theoretical, as they are not testing against
> binary packages actually in the archive, it's just rebuilding the
> sources twice with variations added.

That progress is impressive, especially since this is a hard problem.

However, I want to know *actual* not theoretical.

> The current official packages in the archive don't have sufficient
> public infrastructure to reproduce the builds (e.g. .buildinfo files),
> and even with the .buildinfo files, there is some work to be done on the
> tooling to reproduce the builds:
>   https://bugs.debian.org/774415
>   https://github.com/stevenc99/reprobuild
> Hope that helps!

That helps, but it looks like there are still some infrastructure problems that
are preventing Debian (even the required subset) from being reproducible
"in real life".  The issues seem to have been in the works since 2015.
Holgar appears to be soldiering on (yay!), and I know Chris Lamb's been working
on this (big congrats!).  But I leave reading that trail still confused.

In short: It's hard for me to tell "what's left to do for real Debian (at least
its required parts) to be reproducible?"
Are there just one or two small things that prevent it from going from
theory to practice?  Or are they huge?
I suspect others are having trouble telling as well.

Sorry if that's obvious to everyone else.

--- David A. Wheeler

More information about the rb-general mailing list