[Debian-salsa-ci] Two questions about build-path reproducibility in Debian

James Addison jay at jp-hosting.net
Thu Mar 28 19:59:00 GMT 2024


Hi again,

On Mon, 11 Mar 2024 at 18:24, James Addison <jay at jp-hosting.net> wrote:
>
> Hi folks,
>
> On Wed, 6 Mar 2024 at 01:04, James Addison <jay at jp-hosting.net> wrote:
> > [ ... snip ...]
> >
> > The Debian bug severity descriptions[1] provide some more nuance, and that
> > reassures me that wishlist should be appropriate for most of these bugs
> > (although I'll inspect their contents before making any changes).
>
> Please find below a draft of the message I'll send to each affected bugreport.
>
> Note: I confused myself when writing this; in fact Salsa-CI reprotest _does_
> continue to test build-path variance, at least until we decide otherwise.
>
> --- BEGIN DRAFT ---
> Because Debian builds packages from a fixed build path, customized build paths
> are _not_ currently evaluated by the 'reprotest' utility in Salsa-CI, or during
> package builds on the Reproducible Builds team's package test infrastructure
> for Debian[1].
>
> This means that this package will pass current reproducibility tests; however
> we still believe that source code and/or build steps embed the build path into
> binary package output, making it more difficult that necessary for independent
> consumers to confirm whether their local compilations produce identical binary
> artifacts.
>
> As a result, this bugreport will remain open and be assigned the 'wishlist'
> severity[2].
>
> ...
>
> [1] - https://tests.reproducible-builds.org/debian/reproducible.html
>
> [2] - https://www.debian.org/Bugs/Developer#severities
> --- END DRAFT ---

Most of the remaining buildpath bugs have been updated to severity 'wishlist'.

Approximately thirty are still set to other severity levels, and I plan to
update those with the following adjusted messaging:

--- BEGIN DRAFT ---
Control: severity -1 wishlist

Dear Maintainer,

Currently, Debian's buildd and also the Reproducible Builds team's testing
infrastructure[1] both use a fixed build path when building binary packages.

This means that your package will pass current reproducibility tests; however
we believe that varying the build path still produces undesirable changes in
the binary package output, making it more difficult than necessary for
independent consumers to check the integrity of those packages by rebuilding
them themselves.

As a result, this bugreport will remain open and be re-assigned the 'wishlist'
severity[2].

You can use the 'reprotest' package build utility - either locally, or as
provided in Debian's Salsa continuous integration pipelines - to assist
uncovering reproducibility failures due build-path variance.

For more information about build paths and how they can affect reproducibility,
please refer to: https://reproducible-builds.org/docs/build-path/

...

[1] - https://tests.reproducible-builds.org/debian/reproducible.html

[2] - https://www.debian.org/Bugs/Developer#severities
--- END DRAFT ---

Thanks for your feedback and suggestions,
James



More information about the Debian-salsa-ci mailing list