The goal

It should be possible to reproduce, byte for byte, every build of every package in Debian.

For now, we will start with a few maintainers who want to opt in to this goal as we flesh out the details of what will make it possible. This page tracks our progress.

Drivers

Status

Use cases

Detailed package status list

Reproducing builds

There are two sides to the problem: first we need to record the initial build environment, and then we need a way to set up the same environment.

Recording the environment

The right place to record the build environment is the .changes file. Rationale: it lists the checksums of the build products and is signed by either the maintainer or the buildd operator.

To add a field to the .changes file, it is possible to add the following in debian/control:

XC-Build-Environment: ${misc:Build-Environment}

The substvars can be filled by using something like:

       COLUMNS=999 | dpkg -l | awk ' \
                       BEGIN { printf "misc:Build-Environment=" } \
                       /^ii/ { ORS=", "; print $$2 " (= " $$3 ")" }' | \
               sed -e 's/, $$//' >> debian/substvars

Ideally, this should go in debhelper. But in can be added manually to debian/rules in the meantime.

This does not work currently as dpkg-genchanges does not substitute the variable before adding the field in .changes! It can be fixed by a trivial patch against dpkg:

diff --git a/scripts/dpkg-genchanges.pl b/scripts/dpkg-genchanges.pl
index 0b004c7..13cedd6 100755
--- a/scripts/dpkg-genchanges.pl
+++ b/scripts/dpkg-genchanges.pl
@@ -516,4 +516,5 @@ for my $f (keys %remove) {
     delete $fields->{$f};
 }
 
-$fields->output(\*STDOUT); # Note: no substitution of variables
+$fields->apply_substvars($substvars);
+$fields->output(\*STDOUT);

Reproduce the build environment

Known bugs we are waiting on

Different problems, and their solutions

Non-problems

Data files in data.tar.gz have timestamps

{data,control}.tar.{gz,xz,bz2} may have timestamps

{data,control}.tar.{gz,xz,bz2} will store files in readdir order

This is dependent on an accident of filesystem layout at build time, so it would sometimes not be reproducible.

We should probably fix this in dpkg by sorting the contents of the tar files.

References

* Mike Perry's discussion of how it took him eight weeks to make the Tor Browser Bundle have this feature: http://people.debian.org/~paulproteus/mike-perry-reproducible-tbb.txt