Current experiments are done in Debian unstable. We maintain a set of modified packages needed to make other packages reproducible.
Contents
APT repository
Our modified packages can be found in the following APT archive, which is signed by 49B6 5747 36D0 B637 CC37 01EA 5DB7 CA67 EA59 A31F:
deb http://reproducible.alioth.debian.org/debian/ ./ deb-src http://reproducible.alioth.debian.org/debian/ ./
Git repositories
Several Git repositories have been created on Alioth. Commit notifications are sent to a dedicated mailing list.
Straightforward patches — or packages not using Git as their version control system — have often been sent directly through the BTS.
Modified packages
The following packages have been modified to enable reproducible builds of other packages:
debhelper
The pu/reproducible_builds debhelper branch in the reproducible project contains several fixes and calls dh_strip_nondeterminism (see below) will be called before dh_compress in dh. See the changelog for details.
dpkg
The pu/reproducible_builds dpkg branch in the reproducible repository makes:
- file order deterministic in control and data part of the .deb,
- uses a single timestamp for .deb ar members
- preset the aforementioned timestamp to the latest changelog entry
add -Wdate-time as part of CPPFLAGS in dpkg-buildflags
- add support for .buildinfo files
strip-nondeterminism
strip-nondeterminism is a post-processing tool that will normalize various file types. dh_strip_nondeterminism will be run by debhelper at the end of the build process.
cdbs
The pu/reproducible_builds cdbs branch in the reproducible project contains a fix for 764478 which makes cdbs call the newly introduced dh_strip_nondeterminism commands.
javatools
The pu/reproducible_builds javatools branch in the reproducible repository changes javahelper to call jh_installlibs after dh_install. See 764988.
discount
discount needs a patch to produce stable output of email addresses. See 762622 and the pu/reproducible_builds branch.
ghc
The pu/reproducible_builds ghc branch in the reproducible repository changes ghc to not include timestamps in interface hashes. See 769893
python-setuptools
python-setuptools needs a patch to write names top_level.txt in a stable order. See 773969
r-base
r-base needs a patch to remove build time and username written while building packages. See 774031
fontforge
fontforge needs a patch to propagate creation and modification times from source file. See 774148 and the pu/reproducible_builds branch.
python-qt4
python-qt4 needs a patch to remove timestamps from generated files. See 774509
pyqt5
pyqt5 needs a patch to remove timestamps from generated files. See 774510
libxslt
libxslt needs a patch to make generate-id() return identifiers in a deterministic way. See the pu/reproducible_builds branch.
Usage example
If you have a pbuilder already setup, it's fairly easy to setup an environment with the custom toolchain:
sudo cp /var/cache/pbuilder/base.tgz /var/cache/pbuilder/base-reproducible.tgz sudo pbuilder --login --save-after-exec --basetgz /var/cache/pbuilder/base-reproducible.tgz echo 'deb http://reproducible.alioth.debian.org/debian/ ./' > /etc/apt/sources.list.d/reproducible.list apt-get install busybox busybox wget -O- http://reproducible.alioth.debian.org/reproducible.gpg | apt-key add - apt-get purge busybox apt-key fingerprint | grep '49B6 5747 36D0 B637 CC37 01EA 5DB7 CA67 EA59 A31F' || echo 'Something is wrong' apt-get update apt-get upgrade exit 0
Once that's done, one can use the prebuilder script or manually test a package through:
apt-get source --download-only acl sudo DEB_BUILD_OPTIONS=nocheck pbuilder --build --debbuildopts '-b' --basetgz /var/cache/pbuilder/base-reproducible.tgz acl_*.dsc mkdir b1 b2 dcmd cp /var/cache/pbuilder/result/acl_*.changes b1 sudo dcmd rm /var/cache/pbuilder/result/acl_*.changes sudo DEB_BUILD_OPTIONS=nocheck pbuilder --build --debbuildopts '-b' --basetgz /var/cache/pbuilder/base-reproducible.tgz acl_*.dsc dcmd cp /var/cache/pbuilder/result/acl_*.changes b2 sudo dcmd rm /var/cache/pbuilder/result/acl_*.changes
debbindiff (available in Debian main) is useful to check the result:
debbindiff --html $output_file b1/*.changes b2/*.changes
Adding a package to the APT archive
On alioth.debian.org:
Import the private signing key to your keyring, if you haven't already: gpg --import /home/groups/reproducible/private/reproducible-private.gpg
Place the package files in /home/groups/reproducible/htdocs/debian/
Run make from that directory.