Bug#844431: Reproducibility in Policy
Bill Allombert
ballombe at debian.org
Sat Aug 12 09:59:57 UTC 2017
On Fri, Aug 11, 2017 at 04:08:47PM -0700, Sean Whitton wrote:
> control: user debian-policy at packages.debian.org
> control: usertag = normative proposal
>
> Hello,
>
> ==== Proposal: ====
>
> This is what Holger and I think we should add to Policy, after
> readability tweaks:
>
> Packages should build reproducibly, which for purposes of this
> document means that given
>
> - a version of a source package unpacked at a given path;
> - a set of versions of installed build-dependencies; and
> - a build architecture,
>
> repeatedly building the source package on the architecture with those
> versions of the build dependencies installed will produce bit-for-bit
> identical binary packages.
>
> ==== Explanation: ====
>
> The definition from the reproducible builds group[1] says:
>
> A build is reproducible if given the same source code, build
> environment and build instructions, any party can recreate
> bit-by-bit identical copies of all specified artifacts.
>
> The relevant attributes of the build environment, the build
> instructions and the source code as well as the expected
> reproducible artifacts are defined by ... distributors.
>
> i.e. Debian has to define the build environment, source code and build
> instructions. I think that my wording defines these as Debian currently
> understands them.
This require policy to define the build environment and build
instruction much more precisely than it does now, which does not
seems to be practical. Unless maybe if a reference implementation
is provided.
Cheers,
--
Bill. <ballombe at debian.org>
Imagine a large red swirl here.
More information about the Reproducible-builds
mailing list