Two questions about build-path reproducibility in Debian
John Gilmore
gnu at toad.com
Wed Mar 6 06:30:55 UTC 2024
Thanks, everyone, for your contributions to this discussion.
A quick note:
Vagrant Cascadian <vagrant at reproducible-builds.org> wrote:
> It would be pretty impractical, at least for Debian tests, to test
> without SOURC_DATE_EPOCH, as dpkg will set SOURCE_DATE_EPOCH from
> debian/changelog for quite a few years now.
Making a small patch to the local dpkg to alter or remove the value of
SOURCE_DATE_EPOCH, then trying to reproduce all the packages from source
using that version of dpkg, would tell you which of them (newly) fail to
reproduce because they depend on SOURCE_DATE_EPOCH.
> Sounds like an interesting project for someone with significant spare
> time and computing resources to take on!
It looks to me like the whole Ubuntu source code (that gets into the
standard release) fits in about 25 GB. The Debian 12.0.0 release
sources fit in 83GB (19 DVD images). Both of these are under 1% of a
10TB disk drive that runs about $200. A recent Ryzen mini-desktop,
with a 0.5TB SSD that could cache it all, costs about $300. Is this
significant computing resources? For another $40 we could add a better
heat sink and a USB fan. How many days would recompiling a whole
release take on this $540 worth of hardware?
(I agree that the "spare" time to set it up and configure the build
would be the hard part. This is why I advocate for writing and
releasing, directly in the source release DVDs, the tools that would
automate the recompilation and binary comparison. The end user should
be able to boot the matching binary release DVD, download or copy in the
source DVD images, and type "reproduce-release".)
John
More information about the rb-general
mailing list