Non-Reproducible Packaging outside distros

[Daniel Shahaf]

Emanuel Bronshtein wrote on Sun, Dec 11, 2016 at 15:57:09 +0100:
> Some software has packaging process that occur when distributing the software,
> for example in PHPMyAdmin (PHP software) the 'create-release.sh' script:
>     https://github.com/phpmyadmin/phpmyadmin/blob/master/scripts/create-release.sh
> has reproducibility issues:
>     https://github.com/phpmyadmin/phpmyadmin/issues/12411
> The phpmyadmin packages (in debian & other distros) are based on the above released package.
> which mean that there is a spof (single points of failure) on the release manager.
> 

So the upstream project should diff the tarballs to the VCS tag.

> related questions/suggestions:
> 1. how to identify software packages that depend on upstream non-reproducible packaging? (then fix the related bugs)

This varies by language.  For C projects, a 'configure' script is
usually a generated file.  Other langauges (and build tools) have their
own things.  A second problem is to detect whether the downstream build
script relies on the upstream generated files, or regenerate them.

> 2. maybe elaborate more in https://reproducible-builds.org about processes that similar to build (compile stuff) but also need to be reproducible. (in order to raise awareness)

> 3. It will be better to verify the upstream packaging process in the future.

Two questions:

a) _What_ should be reproducible?  The path from a VCS tag to a tarball?
The path from a tarball to a compiled binary?  The path from a VCS tag
to a compiled binary [as a single, atomic step]?

b) How do you define the input to the "generate a tarball" step?  A VCS
tag?  How is the corresponding tree represented?  (e.g., Git tree
object, Git fast-export stream, ext2 filesystem image, `find -ls`
output...)

All that said, I think this discussion is better suited to the
rb-general@ list; perhaps move/restart the thread there?

Cheers,

Daniel