Two questions about build-path reproducibility in Debian

[Richard Purdie]

On Tue, 2024-03-05 at 08:08 -0800, John Gilmore wrote:
> > > But today, if you're building an executable for others, it's common to build using a
> > > container/chroot or similar that makes it easy to implement "must compile with these paths",
> > > while *fixing* this is often a lot of work.
> 
> I know that my opinion is not popular, but let me try again before we lay this decision to rest.
> 
> In avoiding fixing directory dependencies, you can move the complexity around, but in doing so you didn't reduce the complexity.

FWIW Yocto Project is a strong believer in build reproducibiity
independent of build path and we've been quietly chipping away at those
issues.

There are issues we resolve by using carefully selected compiler
options or environment variables like SOURCE_DATE_EPOCH but also things
we do highlight to upstreams and ask if they'd mind improving them. In
general once they're aware of the issues, they do try and help. We have
identified several regressions in rust in that regard in the last few
versions for example and also helped test fixes.

OpenEmbedded-Core (around 1000 pieces of software) is 100% reproducible
and we have the tests to prove it running daily, building in different
build paths and comparing the output.

We're working on our wider layers too, e.g. meta-openembedded has
another 2000+ pieces of software and less than 100 are not
reproducible.

So even if debian doesn't do this, there is interest elsewhere and I
believe good progress is being made.

Cheers,

Richard