we gotta fix policy
|Deletions are marked like this.||Additions are marked like this.|
|Line 15:||Line 15:|
|* Due to DebianBug:862059 packages build on the buildd network are only uploaded with unsigned .buildinfo files so far.||* Due to DebianBug:862059 packages built on the buildd network are only uploaded with unsigned .buildinfo files so far.|
It should be possible to reproduce, byte for byte, every build of every package in Debian. More information about reproducible builds in general are available at reproducible-builds.org.
Reproducible builds of Debian as a whole is still not a reality, though individual reproducible builds of packages are possible and being done. So while we are making very good progress, it is a stretch to say that Debian is reproducible.
The vast majority of packages build in sid today are reproducible: our patches for dpkg finally landed in Debian unstable in December 2016 with dpkg 1.18.1 so the next big step is to make dak process *.buildinfo files, see #763822 ftp.debian.org: please include .buildinfo file in the archive for the relevant bug report.
Due to 862059 packages built on the buildd network are only uploaded with unsigned .buildinfo files so far.
We have a addendum to sbuild that can rebuild a package after recreating the recorded enviroment.
We have a continuous integration platform that builds and immediately rebuilds packages. With this we can detect problems related to timestamps, file ordering, CPU usage, (pseudo-)randomness and other things.
Many patches have already been submitted, and we are continuously writing new ones.
You can check which packages installed on your system are still unreproducible by using the unreproducible-installed script.
- Identify more common problems.
Change debian-policy so that "packages should build bit by bit identical binary packages" (844431, change to "must" later…)
- Start a campaign to get developers to fix their packages and/or NMU them once policy has been changed.
- Require matching binary packages from the developer and a buildd before accepting the package in the archive. This could initially be opt-in.
For more concrete tasks to be done, look at ?how to contribute.