Differences between revisions 359 and 360
Revision 359 as of 2018-06-06 18:01:14
Size: 5493
Editor: lamby
Comment:
Revision 360 as of 2018-06-07 07:46:15
Size: 5708
Editor: lamby
Comment:
Deletions are marked like this. Additions are marked like this.
Line 20: Line 20:
= Big outstanding issues =

 * [[DebianBug:802241|#802241: dpkg: please store the hash of the installed .deb and allow to query it]]
 * [[DebianBug:763822|#763822: ftp.debian.org: please include .buildinfo file in the archive]] (see also DebianBug:862073 and DebianBug:862538 as intermediate steps)
 * [[DebianBug:894441|#894441: binNMUs should be replaced by easy "no-change-except-debian/changelog-uploads"]]
 * [[DebianBug:900837|#900837: Mass-rebuild of packages for reproducible builds]]
 * [[DebianBug:900918|#900918: debian-installer: Please make the generated images reproducible]]
Line 23: Line 31:
 * Make `dak` process `*.buildinfo` files, see [[DebianBug:763822|#763822 ftp.debian.org: please include .buildinfo file in the archive]] for the relevant bug report, with DebianBug:862073 and DebianBug:862538 as intermediate steps.
 * [[DebianBug:894441|#894441: binNMUs should be replaced by easy "no-change-except-debian/changelog-uploads"]]
 * [[DebianBug:900837|#900837: Mass-rebuild of packages for reproducible build]]
 * [[DebianBug:900918|#900918: debian-installer: Please make the generated images reproducible]]
Line 31: Line 35:
 * User-facing interfaces (see proof-of-concept in [[DebianBug:863622|#863622: apt: warn when installing packages that are not reproducible]]

It should be possible to reproduce, byte for byte, every build of every package in Debian. More information about reproducible builds in general are available at reproducible-builds.org.

About
About

Howto
Make a package reproducible

?Contribute
?How to help

Toolchain
Experimental toolchain

History
Project history

Alioth
Alioth project

Bugs
Bug reports

Jenkins
Continuous integration

Status

Reproducible builds of Debian as a whole is still not a reality, though individual reproducible builds of packages are possible and being done. So while we are making very good progress, it is a stretch to say that Debian is reproducible.

  • Most packages built in sid today are reproducible under a fixed build-path and environment.

  • We have a new control file *.buildinfo that records the build environment, see deb-buildinfo for reference. Older design drafts are here.

  • We have a continuous integration platform that builds and immediately rebuilds packages. With this we can detect problems related to timestamps, file ordering, CPU usage, (pseudo-)randomness and other things.

  • We are examining packages and sorting out common problems.

  • Many patches have already been submitted, and we are continuously writing new ones.

  • You can check which packages installed on your system are still unreproducible by using the reproducible-check script in the devscripts package.

Big outstanding issues

Next

  • Identify more common problems.
  • Tighten up the Policy definition of "reproducible" to be stricter about environment variables and build paths.
    • Discuss which environment variables we should blacklist or whitelist, 876055.

    • Try to push our patches upstream, that allow toolchain programs to build reproducibly even varying build paths.

    • Continue to experiment building packages under varying build paths, to see the extent of this issue.
  • User-facing interfaces (see proof-of-concept in #863622: apt: warn when installing packages that are not reproducible

  • Using .buildinfo data, develop tools that can rebuild previously-built packages including ones from the official Debian archives.

  • Require matching binary packages from the developer and a buildd before accepting the package in the archive. This could initially be opt-in.

For more concrete tasks to be done, look at ?how to contribute.

Statistics from the continuous integration platform

Drivers

  • h01ger
  • lamby
  • infinity0


CategoryDebianDevelopment