Non-Reproducible Packaging outside distros
Emanuel Bronshtein
e3amn2l at gmx.com
Sun Dec 11 14:57:09 UTC 2016
Some software has packaging process that occur when distributing the software,
for example in PHPMyAdmin (PHP software) the 'create-release.sh' script:
https://github.com/phpmyadmin/phpmyadmin/blob/master/scripts/create-release.sh
has reproducibility issues:
https://github.com/phpmyadmin/phpmyadmin/issues/12411
The phpmyadmin packages (in debian & other distros) are based on the above released package.
which mean that there is a spof (single points of failure) on the release manager.
related questions/suggestions:
1. how to identify software packages that depend on upstream non-reproducible packaging? (then fix the related bugs)
2. maybe elaborate more in https://reproducible-builds.org about processes that similar to build (compile stuff) but also need to be reproducible. (in order to raise awareness)
3. It will be better to verify the upstream packaging process in the future.
More information about the Reproducible-builds
mailing list