It should be possible to reproduce, byte for byte, every build of every package in Debian.

For now, we will start with a few maintainers who want to opt in to this goal as we flesh out the details of what will make it possible. This page tracks our progress.

Table of contents:

Drivers

Why do we want reproducible builds?

Others?

Status

Use cases

Detailed package status list

Reproducing builds

There are two sides to the problem: first we need to record the initial build environment, and then we need a way to set up the same environment.

Recording the environment

The right place to record the build environment is the .changes file. Rationale: it lists the checksums of the build products and is signed by either the maintainer or the buildd operator.

To add a field to the .changes file, it is possible to add the following in debian/control:

XC-Build-Environment: ${misc:Build-Environment}

The substvars can be filled by using something like:

COLUMNS=999 | dpkg -l | awk '
            BEGIN { printf "misc:Build-Environment=" }
            /^ii/ { ORS=", "; print $2 " (= " $3 ")" }' |
        sed -e 's/, $//' >> debian/substvars

Ideally, this should go in debhelper. But in can be added manually to debian/rules in the meantime.

This does not work currently as dpkg-genchanges does not substitute the variable before adding the field in .changes! It can be fixed by a trivial patch against dpkg, see 719854.

Reproduce the build environment

Known bugs we are waiting on

Different problems, and their solutions

Build systems tend to capture information about the environment that makes them produce different results accross different systems, despite having the same architecture and software installed.

Ideally, such variations should be fixed in the build system itself, but it might sometimes not be possible.

Non-problems

Build paths

These should really be patched out in one way or another. This is not useful information and can actually hide real bugs.

For debug files, use debugedit.

Locale

Builds should be made with LC_ALL=C.UTF-8.

It's quite unpractical to force such value in debian/rules and there is actually no reason this should not be the default.

Actions:

hostname, uname output, username

Actions:

for several system calls on the same model as libfaketime. Bdale suggested we call it liblietome.

Data files in data.tar.gz have timestamps

{data,control}.tar.{gz,xz,bz2} may have timestamps

{data,control}.tar.{gz,xz,bz2} will store files in readdir order

This is dependent on an accident of filesystem layout at build time, so it would sometimes not be reproducible.

We should probably fix this in dpkg by sorting the contents of the tar files.

References