5493
Comment:
|
5708
|
Deletions are marked like this. | Additions are marked like this. |
Line 20: | Line 20: |
= Big outstanding issues = * [[DebianBug:802241|#802241: dpkg: please store the hash of the installed .deb and allow to query it]] * [[DebianBug:763822|#763822: ftp.debian.org: please include .buildinfo file in the archive]] (see also DebianBug:862073 and DebianBug:862538 as intermediate steps) * [[DebianBug:894441|#894441: binNMUs should be replaced by easy "no-change-except-debian/changelog-uploads"]] * [[DebianBug:900837|#900837: Mass-rebuild of packages for reproducible builds]] * [[DebianBug:900918|#900918: debian-installer: Please make the generated images reproducible]] |
|
Line 23: | Line 31: |
* Make `dak` process `*.buildinfo` files, see [[DebianBug:763822|#763822 ftp.debian.org: please include .buildinfo file in the archive]] for the relevant bug report, with DebianBug:862073 and DebianBug:862538 as intermediate steps. * [[DebianBug:894441|#894441: binNMUs should be replaced by easy "no-change-except-debian/changelog-uploads"]] * [[DebianBug:900837|#900837: Mass-rebuild of packages for reproducible build]] * [[DebianBug:900918|#900918: debian-installer: Please make the generated images reproducible]] |
|
Line 31: | Line 35: |
* User-facing interfaces (see proof-of-concept in [[DebianBug:863622|#863622: apt: warn when installing packages that are not reproducible]] |
It should be possible to reproduce, byte for byte, every build of every package in Debian. More information about reproducible builds in general are available at reproducible-builds.org.
Status
Reproducible builds of Debian as a whole is still not a reality, though individual reproducible builds of packages are possible and being done. So while we are making very good progress, it is a stretch to say that Debian is reproducible.
Most packages built in sid today are reproducible under a fixed build-path and environment.
We have a new control file *.buildinfo that records the build environment, see deb-buildinfo for reference. Older design drafts are here.
We have a continuous integration platform that builds and immediately rebuilds packages. With this we can detect problems related to timestamps, file ordering, CPU usage, (pseudo-)randomness and other things.
We are examining packages and sorting out common problems.
Many patches have already been submitted, and we are continuously writing new ones.
You can check which packages installed on your system are still unreproducible by using the reproducible-check script in the devscripts package.
Big outstanding issues
#802241: dpkg: please store the hash of the installed .deb and allow to query it
#763822: ftp.debian.org: please include .buildinfo file in the archive (see also 862073 and 862538 as intermediate steps)
#894441: binNMUs should be replaced by easy "no-change-except-debian/changelog-uploads"
#900918: debian-installer: Please make the generated images reproducible
Next
- Identify more common problems.
- Tighten up the Policy definition of "reproducible" to be stricter about environment variables and build paths.
Discuss which environment variables we should blacklist or whitelist, 876055.
Try to push our patches upstream, that allow toolchain programs to build reproducibly even varying build paths.
- Continue to experiment building packages under varying build paths, to see the extent of this issue.
User-facing interfaces (see proof-of-concept in #863622: apt: warn when installing packages that are not reproducible
Using .buildinfo data, develop tools that can rebuild previously-built packages including ones from the official Debian archives.
- Require matching binary packages from the developer and a buildd before accepting the package in the archive. This could initially be opt-in.
For more concrete tasks to be done, look at ?how to contribute.
Drivers
- h01ger
- lamby
- infinity0