It should be possible to reproduce, byte for byte, every build of every package in Debian.
We have a tentative specification for a new control file *.buildinfo that records the build environment.
We have an experimental toolchain that creates *.buildinfo files and allows a good amount of source packages to be reproducible.
We have a addendum to sbuild that can rebuild a package after recreating the recorded enviroment.
We have a continuous integration platform that build and immediately rebuild packages. This can detect problems related to timestamps, file ordering, CPU usage, and (pseudo-)randomness.
Many patches have already been submitted. Most of them are awaiting for Jessie to be released.
You can check which packages installed on your system are still unreproducible by using the unreproducible-installed script.
Reproducible builds in Debian are still at the experimental stage. While we are making very good progress, it is a stretch to say that Debian is reproducible or even partially reproducible until the needed changes are integrated in the main distribution.
- Identify more common problems.
- Get toolchain changes integrated once Jessie has been released.
- Start a campaign to get developers to fix their packages.
Get .buildinfo files in the archive.
- Require matching binary packages from the developer and a buildd before accepting the package in the archive. This could initially be opt-in.
For more concrete tasks to be done, look at how to contribute.