[rb-general] Core Debian reproducibility: how close?

Vagrant Cascadian vagrant at debian.org
Tue Oct 23 21:46:17 CEST 2018


On 2018-10-23, David A. Wheeler wrote:
> On Tue, 23 Oct 2018 11:01:19 -0700, Vagrant Cascadian <vagrant at debian.org> wrote:
>> These numbers are all theoretical, as they are not testing against
>> binary packages actually in the archive, it's just rebuilding the
>> sources twice with variations added.
>
> That progress is impressive, especially since this is a hard problem.
>
> However, I want to know *actual* not theoretical.

It's unfortunately missing key infrastructure to do so... so, if you
need hard numbers, the harsh reality might very well be 0% reproducible.

On the positive side, solving those infrastructure problems won't just
solve it for the core/required/essential/etc. package sets, it will open
the doors to solving it archive-wide.


>> The current official packages in the archive don't have sufficient
>> public infrastructure to reproduce the builds (e.g. .buildinfo files),
>> and even with the .buildinfo files, there is some work to be done on the
>> tooling to reproduce the builds:
>> 
>>   https://bugs.debian.org/774415
>>   https://github.com/stevenc99/reprobuild
> ...
>> Hope that helps!

> That helps, but it looks like there are still some infrastructure problems that
> are preventing Debian (even the required subset) from being reproducible
> "in real life".  The issues seem to have been in the works since 2015.
> Holgar appears to be soldiering on (yay!), and I know Chris Lamb's been working
> on this (big congrats!).  But I leave reading that trail still confused.
>
> In short: It's hard for me to tell "what's left to do for real Debian (at least
> its required parts) to be reproducible?"
> Are there just one or two small things that prevent it from going from
> theory to practice?  Or are they huge?

Main blocker that comes to mind is publishing of buildinfo files
submitted to the archive in a way that people can actually download them
who are not Debian developers:

  https://bugs.debian.org/763822
  https://bugs.debian.org/862073

Assuming that snapshot.debian.org continues to function well...

Then we could move on to the before-mentioned tooling that actually uses
the .buildinfo files to attempt to reproduce builds in the archive. And
then we could actually test against packages in the archive, and start
providing real-world numbers.


Also, .buildinfo files only currently contain version numbers of the
toolchain used to build the packages, but in actuality it would be more
reliable to use hashes of the installed packages, but this information
is not readily available from dpkg:

  https://bugs.debian.org/802241

Not a hard-blocker, per se, if you're willing to trust that
snapshot.debian.org is infallible. But better to not have to trust...


So, we've gotten to the point where Reproducible Builds in theory is
possible, but we have important things to resolve in order prove it in
reality. It's been on many of our minds recently, and we'd love to move
it to that next practical point!

We'll definitely be discussing and strategizing and working towards
Reproducible Builds in reality at the Reproducible Builds Summit in
December:

  https://reproducible-builds.org/events/paris2018/


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20181023/203de5c5/attachment.sig>


More information about the rb-general mailing list