Two questions about build-path reproducibility in Debian

[David A. Wheeler]

> On Mar 4, 2024, at 3:37 PM, Holger Levsen <holger at layer-acht.org> wrote:
> 
> On Mon, Mar 04, 2024 at 11:52:07AM -0800, John Gilmore wrote:
>> Why would these become "wishlist" bugs as opposed to actual reproducibility bugs
>> that deserve fixing, just because one server at Debian no longer invokes this
>> bug because it always uses the same build directory?
> 
> because it's "not one server at Debian" but what many ecosystems do: build in an
> deterministic path (eg /$pkg/$version or whatever) or record the path as part
> of the build environment, to have it deterministic as well.
> 
> in the distant past, before namespacing become popular, using a random path
> was a solution to allow parallel builds of the same software & version.
> 
> and yes, this is a shortcut and a tradeoff, similar to demanding to build 
> in a certain locale. also it makes reproducibilty from around 80-85% of all 
> packages to >95%, IOW with this shortcut we can have meaningful reproducibility
> *many years* sooner, than without.
> 
> and I'd really rather like to see Debian 100% reproducible in 2030, than in 2038.
> and some subsets today, or much sooner.

I agree with Holger (and Vagrant).

It'd be *nice* if a build was reproducible regardless of the directory used to build it.
But today, if you're building an executable for others, it's common to build using a
container/chroot or similar that makes it easy to implement "must compile with these paths",
while *fixing* this is often a lot of work.

I suggest focusing on ensuring everyone knows what the executable files contain, first.
if people can add more flexibility to their build process, all the better, but that added flexibility
comes at a cost of time and effort that is NOT as important.

--- David A. Wheeler