It should be possible to reproduce, byte for byte, every build of every package in Debian.
We have a tentative specification for a new control file *.buildinfo that records the build environment.
We have an experimental toolchain that creates *.buildinfo files and allows a good amount of source packages to be reproducible.
We have a addendum to sbuild that can rebuild a package after recreating the recorded enviroment.
We have a continuous integration platform that build and immediately rebuild packages. This can detect problems related to timestamps, file ordering, CPU usage, and (pseudo-)randomness.
Many patches have already been submitted, and we are continuously writing new ones.
You can check which packages installed on your system are still unreproducible by using the unreproducible-installed script.
Reproducible builds in Debian are still at the experimental stage. While we are making very good progress, it is a stretch to say that Debian is reproducible or even partially reproducible until the needed changes are integrated in the main distribution.
- Identify more common problems.
- Get toolchain changes integrated.
- Start a campaign to get developers to fix their packages.
Get .buildinfo files in the archive.
- Require matching binary packages from the developer and a buildd before accepting the package in the archive. This could initially be opt-in.
For more concrete tasks to be done, look at how to contribute.