Moving towards a deb-buildinfo(5) Format 1.0

Johannes Schauer josch at debian.org
Sun Nov 13 22:26:44 UTC 2016


Hi,

Quoting Daniel Kahn Gillmor (2016-11-13 21:44:22)
> It is definitely not what most of us initially expected, but it is
> actually what we want.
> 
> i look at it this way:
> 
>  * Ideally, the generated binary packages are reproducible *even when
>    the build environment changes*.  For example, I build a package as
>    the user "dkg" on machine "alice" in path /home/dkg/src/foo, and you
>    build it as "lamby" on machine "bob" in path
>    /home/lamby/work/foo/foo, and we should get the same outcome.
> 
>  * The buildinfo file documents things that *might* influence the build,
>    but it also documents things that *should not* influence the build.
>    Two differing buildinfo files that produced the same output
>    effectively say "even when the build environment varies in the way
>    that these two do, the package is still reproducible"

another thing to think about: Thinking "lets remove everything that should not
influence the build from the buildinfo" is futile in the first place. The most
obvious example is the "Installed-Build-Depends" field. The build output should
probably not depend on many of the Essential:yes packages like bash, sed or
gzip. Still we list these packages in the .buildinfo. In fact, we cannot know
whether or not the build is independent of the bash, sed or gzip package
versions (or architectures) if we would *not* list them. So look at it this
way:

By listing lots of extra information like package versions, build time and
build path we store information that we can later use to identify whether or
not the artifacts produced by a bit are independent from them. If we have two
buildinfo files with different build time but the same hashes, then we can
easily conclude that apparently the build is invariant of the time. If we have
two buildinfo files with different dpkg versions but the same hashes then we
can conclude that apparently, these two dpkg versions have the same effect on
the build. Without listing this info, we cannot make this inferences.

Of course this does not mean that we include *all* the happenstance information
in a buildinfo file. We don't include the username or the specs of the machine
the build was run on. But we still include the interesting information. What
constitutes "interesting" is of course up to debate but by the arguments that
were brought up in earlier mails, I'd argue that datapoints like build date and
build path are still "interesting" pieces of information to keep around for
now.

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20161113/6c930625/attachment.sig>


More information about the Reproducible-builds mailing list