[rb-general] Core Debian reproducibility: how close?
jcappos at nyu.edu
Sat Oct 27 21:52:44 CEST 2018
in-toto will help with the verification part (whether by end users or the
On Sat, Oct 27, 2018 at 11:28 AM Vagrant Cascadian <vagrant at debian.org>
> On 2018-10-23, Vagrant Cascadian <vagrant at debian.org> wrote:
> > On 2018-10-23, David A. Wheeler wrote:
> >> On Tue, 23 Oct 2018 11:01:19 -0700, Vagrant Cascadian <
> vagrant at debian.org> wrote:
> >>> These numbers are all theoretical, as they are not testing against
> >>> binary packages actually in the archive, it's just rebuilding the
> >>> sources twice with variations added.
> >> That progress is impressive, especially since this is a hard problem.
> >> However, I want to know *actual* not theoretical.
> > It's unfortunately missing key infrastructure to do so... so, if you
> > need hard numbers, the harsh reality might very well be 0% reproducible.
> >> That helps, but it looks like there are still some infrastructure
> problems that
> >> are preventing Debian (even the required subset) from being reproducible
> >> "in real life". The issues seem to have been in the works since 2015.
> >> Holgar appears to be soldiering on (yay!), and I know Chris Lamb's been
> >> on this (big congrats!). But I leave reading that trail still confused.
> > Then we could move on to the before-mentioned tooling that actually uses
> > the .buildinfo files to attempt to reproduce builds in the archive. And
> > then we could actually test against packages in the archive, and start
> > providing real-world numbers.
> Ok, I've found at least one package in the required set, with three
> distinct .buildinfo files that converged on the same .deb:
> The checksum on all three .buildinfo files matches the dash package
> currently in the Debian archive.
> We're now officially beyond mere theory!
> It is, of course, an ordeal for an end-user to actually
> verify... basically it amounted to downloading the package from the
> archive, computing the sha1sum (since the Packages files only contain
> MD5 (shudder) and sha256 (not yet supported by the buildinfo.debian.net
> api)), and then checking for matching .buildinfo files at the above URL.
> live well,
> rb-general at lists.reproducible-builds.org mailing list
> To change your subscription options, visit
> To unsubscribe, send an email to
> rb-general-unsubscribe at lists.reproducible-builds.org.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the rb-general