Moving towards a deb-buildinfo(5) Format 1.0
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Nov 13 20:44:22 UTC 2016
On Sun 2016-11-13 22:33:29 +0900, Chris Lamb wrote:
>> Multiple builds of the same source package will set SOURCE_DATE_EPOCH to
>> the same value but will result in a different Build-Date.
>
> … but that would mean that a reproducible build will result in .buildinfo
> files with different contents (varying on Build-Date).
>
> That seems, at the very least, somewhat non-intuitive to me.
It is definitely not what most of us initially expected, but it is
actually what we want.
i look at it this way:
* Ideally, the generated binary packages are reproducible *even when
the build environment changes*. For example, I build a package as
the user "dkg" on machine "alice" in path /home/dkg/src/foo, and you
build it as "lamby" on machine "bob" in path
/home/lamby/work/foo/foo, and we should get the same outcome.
* The buildinfo file documents things that *might* influence the build,
but it also documents things that *should not* influence the build.
Two differing buildinfo files that produced the same output
effectively say "even when the build environment varies in the way
that these two do, the package is still reproducible"
* We actually don't want people to have to replicate the exact build
environment to get a binary match. I think it was Ximin who pointed
out: "all software is reproducible if you create an exact
atom-by-atom copy of the original build computer before building".
But that's not what we really mean by reproducible builds.
In short, we *want* buildinfos to vary, while we want the generated
binary artifacts to be reproducible.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 962 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20161114/09c0afa8/attachment.sig>
More information about the Reproducible-builds
mailing list