[rb-general] Core Debian reproducibility: how close?

David A. Wheeler dwheeler at dwheeler.com
Thu Oct 25 04:05:35 CEST 2018

On Tue, 23 Oct 2018 17:00:53 -0400, Chris Lamb <lamby at debian.org> wrote:
> This section on our wiki may literally answer this question for you:
>   https://wiki.debian.org/ReproducibleBuilds#Big_outstanding_issues
> (I would concede that this is not the most obvious place to find
> such things.)

Thanks so much!! That's much closer to what I was looking for.  It's a little hard for me to tell from this list "how close are we to having reproducible builds in the real systems people use".  To be fair, I suspect that's hard to estimate even for the people most directly involved :-).  If there's an estimated time of arrival that'd be awesome... is there one?

Also, one of those items looks more like a "future nice to have" than something necessary to counter subverted binaries:
  - Tighten up the Policy definition of "reproducible" to be stricter about environment variables and build paths. 

Allowing more flexibility like arbitrary build paths, swapping out tools (like generating the same zips/tars from *different* tools), and so on are awesome long-term.  However, I think none of these is necessary if the goal is to be able to have reproducible builds (to detect if build results have been tampered with).  It might be better to primarily focus efforts on getting the reproducible builds for the core packages actually used by people.  Perhaps that's already happening, it's not clear to me just from following the mailing list.  In any case, once more "real systems people use" are reproducible, I think it will be much easier to get additional people to improve their flexibility (e.g., improving tar programs).

-- David A. Wheeler

More information about the rb-general mailing list