Two questions about build-path reproducibility in Debian

Vagrant Cascadian vagrant at reproducible-builds.org
Mon Mar 4 20:40:47 UTC 2024 

On 2024-03-04, John Gilmore wrote:
> Vagrant Cascadian wrote:
>> > > to make it easier to debug other issues, although deprioritizing them
>> > > makes sense, given buildd.debian.org now normalizes them.
>
> James Addison via rb-general <rb-general at lists.reproducible-builds.org> wrote:
>> Ok, thank you both.  A number of these bugs are currently recorded at severity
>> level 'normal'; unless told not to, I'll spend some time to double-check their
>> details and - assuming all looks OK - will bulk downgrade them to 'wishlist'
>> severity a week or so from now.

Well, I think we should change it to "minor" rather than "wishlist"
severity, but that may be splitting hairs; I do not find a huge amount
of difference between debian bug severities... they are pretty much
either critical/serious/grave and thus must be fixed, or
normal/minor/wishlist and fixed when someone feels like it.


> I may be confused about this.  These bug reports are that a package cannot
> be reproducibly built because its output binary depends on the directory in which
> it was built?
>
> Why would these become "wishlist" bugs as opposed to actual reproducibility bugs
> that deserve fixing, just because one server at Debian no longer invokes this
> bug because it always uses the same build directory?
>
> If an end user can't download a source package (into any directory on
> any machine), and build it into the same exact binary as the one that Debian
> ships, this is not a "wishlist" idea for some future enhancement.  This
> is a real issue that prevents the code from being reproducible.

I agree it is a real issue, but admit it is fairly easy to work around,
given most package building tools use chroots or containers or similar,
it seems acceptible to treat build paths as a lower priority. Compare
that to timestamps, which are non-trivial to force to use the exact same
clock moving at the exact same rate, I would say build path
normalization is quite tolerable, if not ideal.

You cannot just build on "any machine", the machine needs to have a
sufficiently similar build environment (e.g. exactly matching compiler
versions, same architecture, etc.) and weather the build path is part of
that or not is simply a decision to make.

Several (many?) other distros normalize the build path as part of their
standard build tooling; Debian is arguably a latecomer to that practice.

I have definitely argued in favor of addressing build path issues, and
encourage people to fix them, and have personally spent more than a
small amount of time working on it, and we have made huge progress on
fixing (tens of?) thousands of them.

There are only so many hours in the day and so many people actively
working on fixing things... there may be bigger fires to put out at the
moment.


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240304/3e5135f5/attachment.sig>

More information about the rb-general mailing list