How to verify a package by rebuilding it locally on Debian?

Tue Feb 13 18:50:41 UTC 2024

On 2024-02-12, cen wrote:
> I would like to verify that a package is reproducible by rebuilding it 
> locally on Debian (bookworm).
...
> I found https://buildinfos.debian.net and I can in theory fetch a 
> .buildinfo file from there using the correct package version and arch 

Yeah, buildinfos.debian.net should get you the .buildinfo file for
packages actually present in Debian...

> but debrebuild is not happy about it:
>
> debrebuild --buildresults=./artifacts --builder=mmdebstrap 
> nano_7.2-1_amd64.buildinfo
> Unknown option: buildresults
> nano_7.2-1_amd64.buildinfo contained a GPG signature; it has NOT been 
> validated (debrebuild does not support this)!
> Use of uninitialized value $srcpkgver in substitution (s///) at 
> /usr/bin/debrebuild line 246.
> refusing to overwrite the input buildinfo file

Well, this looks very similar to the documented use in the debrebuild
manpage, so probably a bug report to devscripts/debrebuild is in order.

If you're lucky, debrebuild *should* work, but there have been issues
with snapshot.debian.org that make it less reliable than one might
hope.

There is a work-in-progress on a snapshot replacement for the purposes
of rebuilding all packages currently in Debian, though it needs more
work and possibly a different frontend, or to add support for it to
debrebuild, as it is a little different design from snapshot.debian.org.

So, in short, no, there is nothing quite working yet, although there is
work in that direction; now that we have demonstrated reproducible
builds as more than theoretically possible, this is a pretty important
goal for Debian in 2024!

live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240213/ec51ef54/attachment.sig>