Debian and reproducible-builds.org incoherence?

Chris Lamb chris at reproducible-builds.org
Wed Apr 12 15:46:50 UTC 2023


Hi Alexis,

> Have I compiled and packaged everything wrong?

Given my skim reading of the SHA256sums, I don't think so. As in, you
seem to be generating the same packages as
tests.reproducible-builds.org, at least on amd64. If anything,
"Debian", ie. the official binaries, are the "wrong" ones here…
although I wouldn't quite use that term. :)

> https://tracker.debian.org/pkg/fbreader indicates reproducibility
> OK.

This is, unfortunately, a little misleading. To clarify, this
statement only means that *tests.reproducible-builds.org* believes
that the fbreader source package is reproducible — it doesn't promise
that the binary packages on the official Debian mirrors are
bit-for-bit identical with anything.

This is, of course, not ideal. Still, this is what folks on this list
are getting at when they say they "want to make Debian 'really'
reproducible".

Regarding precisely why there is a difference, I can't write more at
the moment, but have you tried comparing "your"
fbreader_0.12.10dfsg2-4_amd64.deb with one shipped by Debian using
diffoscope? Happy to run that for you if you can provide your file.


Regards,

-- 
      o
    ⬋   ⬊      Chris Lamb
   o     o     reproducible-builds.org 💠
    ⬊   ⬋
      o


More information about the rb-general mailing list