What should be the proper practice to manage `.dsc` files on Reprepro?
yaobin.wen at minevisionsystems.com
Thu May 26 04:48:16 UTC 2022
In my company, we use *Ubuntu (18.04)* and are practicing reproducible
builds. Our code is built into a lot of .*deb* packages using *debuild* (and
related tools). We have made a lot of effort to make our builds
reproducible by following the Achieve deterministic builds
<https://reproducible-builds.org/docs/> and Known issues related to
<https://tests.reproducible-builds.org/debian/index_issues.html>. We have
made a lot of progress and are still working on it.
We set up a company-wise *Reprepro server to serve the Debian packages
that we build regularly*. We publish both *.deb* files and the *GPG-signed
.dsc* files to the Reprepro server. BTW, our build system is designed to do
an "*change-only build*": if a package is not changed since the last build,
i.e., its *changelog* is not changed, the package is not built again this
time. *Their .deb and .dsc files are still added to Reprepro but because
these files remain unchanged, Reprepro can successfully "add" them (but in
fact they are skipped)*. I figured this point may be important to
understand why I have my questions below.
Although we have solved many reproducibility issues in the .*deb* files, *I
found the .dsc files were changed when* I rebuilt the packages (by deleting
the previously built *.deb* and *.dsc* files) so Reprepro refuses to
include them and reports the following error:
ERROR: '<path-to-dsc-on-build-machine>' cannot be included as
> Already existing files can only be included again, if they are the same,
> md5 expected: <md5-1>, got: <md5-2>
> sha1 expected: <sha1-1>, got: <sha1-2>
> sha256 expected: <sha256-1>, got: <sha256-2>
*diffoscope* told me the `.*dsc*` files *only differ in their GPG
signatures* - the related source tarball (<filename>.orig.tar.gz) and
debian tarball (<filename>.debian.tar.xz) *have not changed between builds.*
I understand that, because as this SO answer says
<https://security.stackexchange.com/a/78958/80050>, the GPG signature is
generated using the creation time as an input. I found the issue
made me think we should not have signed our .*dsc* files, but the Debian
shows that the .*dsc* files are supposed to be signed by the maintainers.
In addition, in the Known Issues list
<https://tests.reproducible-builds.org/debian/index_issues.html>, I didn't
seem to find any issue that's related with the .*dsc* files.
*After reading around, I'm guessing my understanding about
reproducible builds may not be totally correct, so I want to ask here:*
1. *Should the .dsc files be reproducible, too?* Because Reprepro can
manage .*dsc* files, I've been thinking that .*dsc* files should be
reproducible, but now it seems not?
2. In my case, since my company maintains both .*deb* files and .*dsc* files
in Reprepro, if one day we need to build the code of an earlier version, we
would inevitably generate different .*dsc* files because of the GPG
signatures. *Am I supposed to publish the .dsc files to the same
Reprepro server that we maintain our regular build?* Because I've been
thinking .*dsc* files should also be reproducible, I've been thinking we
should keep using the same Reprepro server. *But now it looks like we
need to prepare a second Reprepro server to hold the packages of the
3. *How does everyone else maintain their Reprepro server?* Do they keep
publishing the build artifacts to the same server after a build? Or do they
delete the previously published artifacts before publishing the new build?
Or do they even recreate the Reprepro server every time they make a new
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the rb-general