[Reproducible-builds] Reproducible Builds — proof of concept successful for 83% of all sources in main

Reproducible builds folks reproducible-builds at lists.alioth.debian.org
Fri Feb 13 17:28:42 UTC 2015 

Hi *,

We are happy to report on the status of the “Reproducible Builds”
project [WIKI]. In short, reproducible builds are about enabling anyone
to independently confirm that a given binary .deb was built from some
specified source .dsc.

Progress
========

We have been making great progress recently; after more than a year of
work, we are proud to announce that we found 83.5% of all source
packages in sid main can be rebuilt reproducibly!

A more verbose summary can be read in the interview given for the latest
FOSDEM [INTERVIEW] — this interview was team work, even though it
doesn't look like it. ;-)

The current result has mostly been achieved via experimental changes in
toolchain packages available from a dedicated repository [TOOLCHAIN].

So far, more than 2,000 “unreproducible” packages have been
investigated [NOTES]. Several core (e.g. linux) and other packages have
already received patches to make them build reproducibly. A summary of
the most common issues is available [ISSUES].

Tools
=====

debbindiff [DEBBINDIFF] has been written to provide in-depth detailed
diffs of binary packages.

Several jobs running on jenkins.debian.net continuously rebuild all
packages in unstable twice [JENKINS]. The second build environment
differs in (wall-clock) time, file ordering, CPU ordering, hostname,
username/uid, groupname/gid, and locale.  The binaries are compared
using debbindiff and the results are easily browseable [REPRODUCIBLE].

The “reproducibility” status has been integrated into
tracker.debian.org [TRACKER], the Developer's Package Overview [DDPO]
and the Maintainer Dashboard [DMD].

For more details on what has been done and also tried in the past,
please refer to the project history [HISTORY].

Bug filing with patches
=======================

We have started to propose patches to make packages build reproducibly
and tagged them with appropriate usertags and the user
<reproducible-builds at lists.alioth.debian.org> [BUGS].

And the number [GRAPH] got quite high quite fast. As more than 400 have
already been sent, please consider this email as an overdue announcement
for the mass bug filing.

Contribute
==========

If you want to help, a first step is to check the reproducibility of
your packages [DDLIST]. Feel free to ask for help on the
<reproducible-builds at lists.alioth.debian.org> mailing list or in
#debian-reproducible on irc.debian.org.

Reproducible builds for Debian are still in the design-phase, the work
is not finished by far.  To give one (important) example: we are still
looking to find the best approach for integration within the archive.
But there is more work to do, the project has a large scope and touches
all areas of Debian. Many small and greater things remain to be
done [CONTRIBUTE]. You are most welcome to join the fun!

Further discussion
==================

Last but not least: given the amazing progress, we feel reproducible
builds could become a release goal for Stretch (Jessie+1) — and some
even think it should! We will submit a proper proposal after Jessie is
out.

Until then, we would like to invite you to discuss the reproducible
builds project at large by following up to
<debian-devel at lists.debian.org> — just please keep our mailing list
<reproducible-builds at lists.alioth.debian.org> cc'ed for those who are
not subscribed to debian-devel at l.d.o.


    yours sincerely,
      for the Debian reproducible builds team,
        Andrew Ayer
        Chris Lamb
        Chris West
        Christoph Berg
        Holger Levsen
        Lunar
        Mattia Rizzolo
        Reiner Herrmann
        Ximin Luo


          [WIKI]: https://wiki.debian.org/ReproducibleBuilds
     [INTERVIEW]: https://fosdem.org/2015/interviews/2015-holger-levsen/
     [TOOLCHAIN]: https://wiki.debian.org/ReproducibleBuilds/ExperimentalToolchain
        [ISSUES]: https://reproducible.debian.net/index_issues.html
       [JENKINS]: https://jenkins.debian.net/view/reproducible/
         [NOTES]: https://reproducible.debian.net/index_notes.html
    [DEBBINDIFF]: https://packages.debian.org/sid/debbindiff
  [REPRODUCIBLE]: https://reproducible.debian.net/
       [TRACKER]: https://tracker.debian.org/
          [DDPO]: https://qa.debian.org/developer.php
           [DMD]: https://udd.debian.org/dmd/
       [HISTORY]: https://wiki.debian.org/ReproducibleBuilds/History
          [BUGS]: http://deb.li/3oX61
         [GRAPH]: https://reproducible.debian.net/stats_bugs.png
        [DDLIST]: https://reproducible.debian.net/index_dd-list.html
    [CONTRIBUTE]: https://wiki.debian.org/ReproducibleBuilds/Contribute
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150213/01f92e67/attachment.sig>

More information about the Reproducible-builds mailing list