[rb-general] Core Debian reproducibility: how close?
Vagrant Cascadian
vagrant at debian.org
Sat Oct 27 17:28:14 CEST 2018
On 2018-10-23, Vagrant Cascadian <vagrant at debian.org> wrote:
> On 2018-10-23, David A. Wheeler wrote:
>> On Tue, 23 Oct 2018 11:01:19 -0700, Vagrant Cascadian <vagrant at debian.org> wrote:
>>> These numbers are all theoretical, as they are not testing against
>>> binary packages actually in the archive, it's just rebuilding the
>>> sources twice with variations added.
>>
>> That progress is impressive, especially since this is a hard problem.
>>
>> However, I want to know *actual* not theoretical.
>
> It's unfortunately missing key infrastructure to do so... so, if you
> need hard numbers, the harsh reality might very well be 0% reproducible.
...
>> That helps, but it looks like there are still some infrastructure problems that
>> are preventing Debian (even the required subset) from being reproducible
>> "in real life". The issues seem to have been in the works since 2015.
>> Holgar appears to be soldiering on (yay!), and I know Chris Lamb's been working
>> on this (big congrats!). But I leave reading that trail still confused.
...
> Then we could move on to the before-mentioned tooling that actually uses
> the .buildinfo files to attempt to reproduce builds in the archive. And
> then we could actually test against packages in the archive, and start
> providing real-world numbers.
Ok, I've found at least one package in the required set, with three
distinct .buildinfo files that converged on the same .deb:
https://buildinfo.debian.net/api/v1/buildinfos/checksums/sha1/c262c9be86f949bbab7c3cbf21db32204f08cc67
The checksum on all three .buildinfo files matches the dash package
currently in the Debian archive.
We're now officially beyond mere theory!
It is, of course, an ordeal for an end-user to actually
verify... basically it amounted to downloading the package from the
archive, computing the sha1sum (since the Packages files only contain
MD5 (shudder) and sha256 (not yet supported by the buildinfo.debian.net
api)), and then checking for matching .buildinfo files at the above URL.
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20181027/87b0dad5/attachment.sig>
More information about the rb-general
mailing list