[Reproducible-builds] Ideas

Jérémy Bobbio lunar at debian.org
Tue Feb 4 09:19:58 UTC 2014 

Hi Hilko!

I'm really happy to see you interested in reproducible builds! :)

Please accept my apologies for the delay. I hope to be able to update
the wiki pages some more to sort things out in the next days. The
results of the 6887 source packages that has been tried out need to be
put online.

> Here are some ideas:
>
> 1. Get the most "interesting" / most "useful" pieces done first:
>
> Can we get reproducible builds for the set of packages needed for a
> buildd host?

I think that it sounds like a worthwhile milestone to work on.

> 2. Concentrate on the contents of a binary pacakge instead of the
> package itself:
>
> In his talk, Lunar mentioned that some patches for dpkg (tar file order,
> timestamps) for creating reproducible .deb packages have not been
> integrated yet. As far as I understand, setting arbitrary timestamps in
> the .deb files seems to be a controversial feature...

Controversial, I don't know yet. See:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719844#30
and my final proposal for which I never had an answer:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719844#57

> However, since binary packages are little more than a vehicle for
> transporting files to the machine where they will be installed, I think
> that focussing on the contents of the .deb archives might be an
> alternative.

I'm not interested in that. I can again quote the same bug$ log
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719844#37

    My ideal scenario is the following:

     1. I retrieve the .changes file for a package.
     2. I verify the signature on the .changes.
     3. I give the .changes to a "rebuild" tool.
     4. The checksum of the .deb listed in the original .changes file
        and the checksum of the .deb I've just built should match.

    I even would like to compare the rebuilt .deb not only by one source,
    but by several.

    I would rather avoid to have a `dpkg-deb --compare` as you suggested
    because comparing signed checksums is much easier that to transfer
    `.deb` all around between multiple independent builders.

I'm not saying this would not work at all. But it would not be a
project I would care about anymore.

-- 
Lunar                                .''`. 
lunar at debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20140204/66f97871/attachment.sig>

More information about the Reproducible-builds mailing list