Differences between revisions 352 and 353
Revision 352 as of 2017-10-03 14:57:40
Size: 5432
Editor: Infinity0
Comment: update status
Revision 353 as of 2017-10-03 15:04:28
Size: 5231
Editor: Infinity0
Comment: move "next" section up and merge it with the other items
Deletions are marked like this. Additions are marked like this.
Line 13: Line 13:
 * Most packages built in sid today are reproducible under a [[https://www.debian.org/doc/debian-policy/#reproducibility|fixed build-path and environment]]. The next big steps are:
   * Make `dak` process `*.buildinfo` files, see [[DebianBug:763822|#763822 ftp.debian.org: please include .buildinfo file in the archive]] for the relevant bug report.
   * Discuss which environment variables we should blacklist or whitelist, [[DebianBug:876055]].
   * Try to push [[/ExperimentalToolchain|our patches]] upstream, that allow toolchain programs to build reproducibly even varying build paths.
 * Most packages built in sid today are reproducible under a [[https://www.debian.org/doc/debian-policy/#reproducibility|fixed build-path and environment]].
Line 18: Line 15:
   * Using this data, we are starting to develop tools that can [[ReproducibleBuilds/About#Reproduce_the_build_environment|rebuild previously-built packages]] including ones from the official Debian archives.
Line 24: Line 20:
[[https://reproducible.debian.net/userContent/unstable/amd64/stats_pkg_state.png|{{https://reproducible.debian.net/userContent/unstable/amd64/stats_pkg_state.png|Statistics from the continuous integration platform|width=100%}}|class=]]
Line 29: Line 23:
 * Change debian-policy so that "packages should build bit by bit identical binary packages" (DebianBug:844431, change to "must" later…)
 * Start a campaign to get developers to fix their packages and/or NMU them once policy has been changed.
 * Publish `.buildinfo` files uploaded, either into the archive itself (DebianBug:763822) or to buildinfo.debian.net (DebianBug:862073 and DebianBug:862538), maybe first to the latter as a prototype…
 * Make `dak` process `*.buildinfo` files, see [[DebianBug:763822|#763822 ftp.debian.org: please include .buildinfo file in the archive]] for the relevant bug report, with DebianBug:862073 and DebianBug:862538 as intermediate steps.
 * Tighten up the Policy definition of "reproducible" to be stricter about environment variables and build paths.
   * Discuss which environment variables we should blacklist or whitelist, [[DebianBug:876055]].
   * Try to push [[/ExperimentalToolchain|our patches]] upstream, that allow toolchain programs to build reproducibly even varying build paths.
   * Continue to experiment building packages under varying build paths, to see the extent of this issue.
 * Using `.buildinfo` data, develop tools that can [[ReproducibleBuilds/About#Reproduce_the_build_environment|rebuild previously-built packages]] including ones from the official Debian archives.
Line 35: Line 32:

[[https://reproducible.debian.net/userContent/unstable/amd64/stats_pkg_state.png|{{https://reproducible.debian.net/userContent/unstable/amd64/stats_pkg_state.png|Statistics from the continuous integration platform|width=100%}}|class=]]

It should be possible to reproduce, byte for byte, every build of every package in Debian. More information about reproducible builds in general are available at reproducible-builds.org.

About
About

Howto
Make a package reproducible

Contribute
How to help

Toolchain
Experimental toolchain

History
Project history

Alioth
Alioth project

Bugs
Bug reports

Jenkins
Continuous integration

Status

Reproducible builds of Debian as a whole is still not a reality, though individual reproducible builds of packages are possible and being done. So while we are making very good progress, it is a stretch to say that Debian is reproducible.

Next

  • Identify more common problems.
  • Make dak process *.buildinfo files, see #763822 ftp.debian.org: please include .buildinfo file in the archive for the relevant bug report, with 862073 and 862538 as intermediate steps.

  • Tighten up the Policy definition of "reproducible" to be stricter about environment variables and build paths.
    • Discuss which environment variables we should blacklist or whitelist, 876055.

    • Try to push our patches upstream, that allow toolchain programs to build reproducibly even varying build paths.

    • Continue to experiment building packages under varying build paths, to see the extent of this issue.
  • Using .buildinfo data, develop tools that can rebuild previously-built packages including ones from the official Debian archives.

  • Require matching binary packages from the developer and a buildd before accepting the package in the archive. This could initially be opt-in.

For more concrete tasks to be done, look at how to contribute.

Statistics from the continuous integration platform

Drivers

  • h01ger
  • lamby
  • infinity0