Two questions about build-path reproducibility in Debian

James Addison jay at jp-hosting.net
Sun Mar 31 20:59:37 UTC 2024


Thanks, Chris,

On Sun, 31 Mar 2024 at 13:01, Chris Lamb <chris at reproducible-builds.org> wrote:
>
> Hi James,
>
> > Approximately thirty are still set to other severity levels, and I plan to
> > update those with the following adjusted messaging […]
>
> Looks good to me. :)
>
> Completely out of interest, are any of those 30 bugs tagged both
> "buildpath" and "toolchain"? It's written nowhere in Policy (and I
> can't remember if it's ever been discussed before), but if package X
> is causing package Y to be unreproducible, I feel that has some
> bearing on the severity of the bug for that issue filed against X…
> completely independent of whether package X is reproducible itself or
> not.  :)

None of the remaining thirty-or-so (and in fact, none of the 66 updated so far)
are usertagged both 'buildpath' and 'toolchain'.

I would say that a few of them _are_ 'toolchain packages' -- mono, binutils-dev
and a few others -- but for these bugs the buildpath issues are internal to
each package at build-time and do not affect the construction of other
packages in their ecosystem.

> Just to underscore that this is simply my curiosity before you
> reassign: in the particular case of *buildpath* AND toolchain, these
> should almost certainly be wishlist anyway because, as discussed, we
> "aren't testing buildpath".

Mostly agree.  Of the bugs in Debian that _are_ usertagged both buildpath and
also toolchain, a few of them appear to have possible known/tested fixes, but in
some cases are awaiting maintainer/upstream support.  Using a static buildpath
seems like it should mitigate most concern there, but if that were not the case,
then the severity of those could perhaps be re-argued based on the quantity,
popularity and importance of affected software (packaged or otherwise).

Regards,
James


More information about the rb-general mailing list