Duplicate Debian packages with matching name-version-arch problem
Vagrant Cascadian
vagrant at reproducible-builds.org
Tue Jan 6 22:44:00 UTC 2026
So, .buildinfo files in Debian record the package name, version and
architecture of the build-dependencies (and perhaps a bit more), but
there are corner cases where multiple artifacts have the same name,
version and architecture:
https://lists.debian.org/debian-snapshot/2025/10/msg00002.html
Obviously we *should* record a checksum in addition to the name, version
and architecture, but that has so far not really manifested, e.g.:
https://bugs.debian.org/802241
I presume it is a hard problem; that bug is over 10 years old (and is
presumeably a precondition for getting checksums into the .buildinfo
files)...
Fortunately, I think this is a quite rare situation, and many of us
happen to be working on a project that can be used to test problems like
this...
If a package is generally bit-for-bit reproducible, if you rebuild it
multiple times with different build dependent permutations
(e.g. PACKAGE_VERSION_ARCH.deb with sha256 123456abcde... and
PACKAGE_VERSION_ARCH.deb with sha256 abcde123456...) we can verify that
the different permutations of PACKAGE_VERSION_ARCH.deb do not actually
affect the build results if it comes out reproducible. So we can "prove"
that the divergence is "ok" without knowing for sure which package it
was originally built with...
If it does not come out bit-for-bit reproducible, we do not clearly
demonstrate that one of the different dependencies is "bad", as small
changes in the dependent packages *might* introduce reproducibility
issues but be otherwise benign... Even in that case, we might be able to
figure out which package permutation was used to perform the build if it
matches the results in the Debian archive.
While it has long bugged me that we do not have checksums for the build
dependencies Debian's .buildinfo files, Reproducible Builds gives us
some useful ways to gather information about packages even when we
cannot be sure exactly which build dependency was used!
Maybe this has dawned on others already before, but the idea struck me
today, and figured I would share. :)
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20260106/beb681da/attachment.sig>
More information about the rb-general
mailing list