Bug#844431: Reproducibility in Policy

Russ Allbery rra at debian.org
Sat Aug 12 00:57:44 UTC 2017 

Sean Whitton <spwhitton at spwhitton.name> writes:

> ==== Proposal: ====

> This is what Holger and I think we should add to Policy, after
> readability tweaks:

>     Packages should build reproducibly, which for purposes of this
>     document means that given

>     - a version of a source package unpacked at a given path;
>     - a set of versions of installed build-dependencies; and
>     - a build architecture,

>     repeatedly building the source package on the architecture with those
>     versions of the build dependencies installed will produce bit-for-bit
>     identical binary packages.

I think we need to add all environment variables starting with DEB_* to
the prerequisites.  If you set DEB_BUILD_OPTIONS=nostrip or
DEB_BUILD_MAINT_OPTIONS=hardening=all, you'll definitely get a different
package, for instance.

I feel like there are a bunch of other environment variables that have to
be consistent, although I'm not sure how to specify that since other
environment variables shouldn't matter.  But, say, setting GNUTARGET is
very likely to cause weirdness by changing how ld works.  There are
probably more interesting examples.

How does the current reproducible build testing work with the environment?
Maybe we should just document that for right now and relax it later if
needed?

> ==== Explanation: ====

> The definition from the reproducible builds group[1] says:

>     A build is reproducible if given the same source code, build
>     environment and build instructions, any party can recreate
>     bit-by-bit identical copies of all specified artifacts.

>     The relevant attributes of the build environment, the build
>     instructions and the source code as well as the expected
>     reproducible artifacts are defined by ... distributors.

> i.e. Debian has to define the build environment, source code and build
> instructions.  I think that my wording defines these as Debian currently
> understands them.

> Later, we could narrow the definition of build environment by adding
> more constraints, but we're not there yet.

> [1]  https://reproducible-builds.org/docs/definition/

We should add a link to that page (maybe in a footnote).

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Reproducible-builds mailing list