[rb-general] Core Debian reproducibility: 57% and rising!

Vagrant Cascadian vagrant at debian.org
Mon Oct 29 01:42:58 CET 2018


On 2018-10-27, Vagrant Cascadian wrote:
> Ok, I've found at least one package in the required set, with three
> distinct .buildinfo files that converged on the same .deb:
...
> We're now officially beyond mere theory!

And now I've found 88 binary packages!

I used the crude script below, with the list of packages passed as
arguments produced by debootstrap 1.0.109:

  debootstrap --print-debs sid $(mktemp -d)

Which produced 88 reproducible packages (2 or more matching .buildinfo
files), and 66 unreproducible (1 or fewer matching .buildinfo files).
Some packages just passed the minimum bar of 2 or more, some had over 17
corroborating .buildinfo files.

So in the real world, about about 57% of the packages installed in a
minimal system are verifiably reproducible.

The unreproducible numbers include simply unknown things; packages which
have no .buildinfo files available, haven't been (re)built recently
enough to have a .buildinfo file, only unsigned .buildinfo files,
etc. With targeted rebuilds of some of those packages with the
"matching" toolchain, my guess is we would get even higher
reproducibility numbers.

I also tried a narrower set with the packages produced by "debootstrap
--variant=minbase", which had 51 reproducible and 33 unreproducible,
getting a slightly better average of 60% reproducible.


live well,
  vagrant

reproducible packages: 88: adduser_3.118_all.deb
base-files_10.1_amd64.deb bsdutils_1%3a2.32.1-0.1_amd64.deb
coreutils_8.30-1_amd64.deb dash_0.5.10.2-1_amd64.deb
debconf_1.5.69_all.deb debian-archive-keyring_2017.7_all.deb
debianutils_4.8.6_amd64.deb dpkg_1.19.2_amd64.deb
e2fsprogs_1.44.4-2_amd64.deb fdisk_2.32.1-0.1_amd64.deb
gpgv_2.2.10-3_amd64.deb grep_3.1-2_amd64.deb gzip_1.9-2.1_amd64.deb
hostname_3.21_amd64.deb init-system-helpers_1.55_all.deb
libapt-pkg5.0_1.7.0_amd64.deb libaudit-common_1%3a2.8.4-2_all.deb
libaudit1_1%3a2.8.4-2_amd64.deb libblkid1_2.32.1-0.1_amd64.deb
libcom-err2_1.44.4-2_amd64.deb libdb5.3_5.3.28+dfsg1-0.2_amd64.deb
libdebconfclient0_0.245_amd64.deb libext2fs2_1.44.4-2_amd64.deb
libfdisk1_2.32.1-0.1_amd64.deb libgmp10_2%3a6.1.2+dfsg-3_amd64.deb
libidn2-0_2.0.5-1_amd64.deb liblz4-1_1.8.2-1_amd64.deb
libmount1_2.32.1-0.1_amd64.deb libncursesw6_6.1+20181013-1_amd64.deb
libp11-kit0_0.23.14-2_amd64.deb libpam-runtime_1.1.8-3.8_all.deb
libseccomp2_2.3.3-3_amd64.deb libsemanage-common_2.8-1_all.deb
libsepol1_2.8-1_amd64.deb libsmartcols1_2.32.1-0.1_amd64.deb
libss2_1.44.4-2_amd64.deb libsystemd0_239-10_amd64.deb
libtasn1-6_4.13-3_amd64.deb libtinfo6_6.1+20181013-1_amd64.deb
libudev1_239-10_amd64.deb libuuid1_2.32.1-0.1_amd64.deb
libzstd1_1.3.5+dfsg-1_amd64.deb mount_2.32.1-0.1_amd64.deb
ncurses-base_6.1+20181013-1_all.deb ncurses-bin_6.1+20181013-1_amd64.deb
sed_4.5-2_amd64.deb sysvinit-utils_2.88dsf-59.11_amd64.deb
tar_1.30+dfsg-2_amd64.deb tzdata_2018g-1_all.deb
util-linux_2.32.1-0.1_amd64.deb cpio_2.12+dfsg-6_amd64.deb
debconf-i18n_1.5.69_all.deb dmidecode_3.2-1_amd64.deb
dmsetup_2%3a1.02.145-4.1_amd64.deb init_1.55_amd64.deb
iproute2_4.18.0-2_amd64.deb iptables_1.8.1-2_amd64.deb
libapparmor1_2.13.1-2_amd64.deb libcryptsetup12_2%3a2.0.4-3_amd64.deb
libdevmapper1.02.1_2%3a1.02.145-4.1_amd64.deb
libdns-export1102_1%3a9.11.4.P2+dfsg-3_amd64.deb
libelf1_0.170-0.5_amd64.deb libfastjson4_0.99.8-2_amd64.deb
libidn11_1.33-2.2_amd64.deb libip4tc0_1.8.1-2_amd64.deb
libip6tc0_1.8.1-2_amd64.deb libiptc0_1.8.1-2_amd64.deb
libisc-export169_1%3a9.11.4.P2+dfsg-3_amd64.deb
libjson-c3_0.12.1-1.3_amd64.deb libncurses6_6.1+20181013-1_amd64.deb
libnetfilter-conntrack3_1.0.7-1_amd64.deb
libnewt0.52_0.52.20-8_amd64.deb libnftnl7_1.1.1-1_amd64.deb
libxtables12_1.8.1-2_amd64.deb logrotate_3.14.0-4_amd64.deb
lsb-base_9.20170808_all.deb netbase_5.4_all.deb
readline-common_7.0-5_all.deb sensible-utils_0.0.12_all.deb
systemd_239-10_amd64.deb systemd-sysv_239-10_amd64.deb
tasksel_3.46_all.deb tasksel-data_3.46_all.deb udev_239-10_amd64.deb
vim-common_2%3a8.1.0320-1_all.deb whiptail_0.52.20-8_amd64.deb
xxd_2%3a8.1.0320-1_amd64.deb

unreproducible packages: 66: apt_1.7.0_amd64.deb
base-passwd_3.5.45_amd64.deb bash_4.4.18-3.1_amd64.deb
diffutils_1%3a3.6-1_amd64.deb findutils_4.6.0+git+20181018-1_amd64.deb
gcc-8-base_8.2.0-8_amd64.deb libacl1_2.2.52-3+b1_amd64.deb
libattr1_1%3a2.4.47-2+b2_amd64.deb libbz2-1.0_1.0.6-9_amd64.deb
libc-bin_2.27-6_amd64.deb libc6_2.27-6_amd64.deb
libcap-ng0_0.7.9-1_amd64.deb libffi6_3.2.1-8_amd64.deb
libgcc1_1%3a8.2.0-8_amd64.deb libgcrypt20_1.8.4-3_amd64.deb
libgnutls30_3.5.19-1+b1_amd64.deb libgpg-error0_1.32-3_amd64.deb
libhogweed4_3.4-1_amd64.deb liblzma5_5.2.2-1.3_amd64.deb
libnettle6_3.4-1_amd64.deb libpam-modules_1.1.8-3.8_amd64.deb
libpam-modules-bin_1.1.8-3.8_amd64.deb libpam0g_1.1.8-3.8_amd64.deb
libpcre3_2%3a8.39-11_amd64.deb libselinux1_2.8-1+b1_amd64.deb
libsemanage1_2.8-1+b1_amd64.deb libstdc++6_8.2.0-8_amd64.deb
libunistring2_0.9.10-1_amd64.deb login_1%3a4.5-1.1_amd64.deb
mawk_1.3.3-17+b3_amd64.deb passwd_1%3a4.5-1.1_amd64.deb
perl-base_5.26.2-7+b1_amd64.deb zlib1g_1%3a1.2.11.dfsg-1_amd64.deb
apt-utils_1.7.0_amd64.deb bsdmainutils_11.1.2+b1_amd64.deb
cron_3.0pl1-130_amd64.deb gdbm-l10n_1.18.1-1_all.deb
ifupdown_0.8.34_amd64.deb iputils-ping_3%3a20180629-2_amd64.deb
isc-dhcp-client_4.3.5-4+b1_amd64.deb
isc-dhcp-common_4.3.5-4+b1_amd64.deb kmod_25-1_amd64.deb
less_487-0.1+b1_amd64.deb libapt-inst2.0_1.7.0_amd64.deb
libargon2-1_0~20171227-0.1_amd64.deb libbsd0_0.9.1-1_amd64.deb
libcap2_1%3a2.25-1.2_amd64.deb libcap2-bin_1%3a2.25-1.2_amd64.deb
libestr0_0.1.10-2.1_amd64.deb libjansson4_2.11-1_amd64.deb
libkmod2_25-1_amd64.deb liblocale-gettext-perl_1.07-3+b3_amd64.deb
liblognorm5_2.0.5-1_amd64.deb libmnl0_1.0.4-2_amd64.deb
libnfnetlink0_1.0.1-3+b1_amd64.deb libpopt0_1.16-11_amd64.deb
libprocps7_2%3a3.3.15-2_amd64.deb libslang2_2.3.2-1+b1_amd64.deb
libssl1.1_1.1.1-1_amd64.deb libtext-charwidth-perl_0.04-7.1_amd64.deb
libtext-iconv-perl_1.7-5+b6_amd64.deb
libtext-wrapi18n-perl_0.06-7.1_all.deb nano_3.1-1_amd64.deb
procps_2%3a3.3.15-2_amd64.deb rsyslog_8.38.0-1+b1_amd64.deb
vim-tiny_2%3a8.1.0320-1_amd64.deb


#!/bin/sh

packages="$@"
bdn_url="https://buildinfo.debian.net/api/v1/buildinfos/checksums/sha1"
log=${0}.log

reproducible_packages=
unreproducible_packages=
for package in $packages ; do
	apt-get download ${package}/sid
	sha1sum ${package}_*.deb | while read checksum package_file ; do
		if [ ! -e ${package_file}.json ]; then
			wget --quiet -O ${package_file}.json ${bdn_url}/${checksum}
		fi
		count=$(fmt ${package_file}.json | grep '\.buildinfo' | wc -l)
		if [ "${count}" -ge 2 ]; then
			echo "REPRODUCIBLE: $package_file $count"
		else
			echo "UNREPRODUCIBLE: $package_file $count"
		fi
		echo
	done
done > $log

reproducible_packages=$(awk '/^REPRODUCIBLE:/{print $2}' $log)
reproducible_count=$(echo $reproducible_packages | wc -w)
unreproducible_packages=$(awk '/^UNREPRODUCIBLE:/{print $2}' $log)
unreproducible_count=$(echo $unreproducible_packages | wc -w)

echo reproducible packages: $reproducible_count: $reproducible_packages
echo
echo unreproducible packages: $unreproducible_count: $unreproducible_packages
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20181028/7c81379b/attachment.sig>


More information about the rb-general mailing list