Bug#844431: Revised patch: seeking seconds
Ximin Luo
infinity0 at debian.org
Sat Aug 12 23:09:00 UTC 2017
Sean Whitton:
> [..]
>
> Here is an updated patch addressing these. I reworded it to use
> 'recommended' and changed the tone to better suit policy.
>
> Thank you Ximin, Russ and Johannes!
>
>> "precisification" -> "more precise version"
>
> Our definition is not actually a /version/ of the
> reproducible-builds.org definition -- that would imply that our
> definition could replace the reproducible-builds.org definition, like
> upgrading a package.
>
> 'precisification' means roughly "filling out the missing specification
> when it is appropriate to fill it out", which is what the r-p.org
> definition instructs distributors to do.
>
> diff --git a/policy/ch-source.rst b/policy/ch-source.rst
> index 127b125..6e32870 100644
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -661,6 +661,28 @@ particularly complex or unintuitive source layout or build system (for
> example, a package that builds the same source multiple times to
> generate different binary packages).
>
> +Reproducibility
> +---------------
> +
> +Packages should build reproducibly, which for the purposes of this
> +document [#]_ means that given
> +
> +- a version of a source package unpacked at a given path;
> +- a set of versions of installed build dependencies;
> +- a set of environment variable values;
> +- a build architecture; and
> +- a host architecture,
> +
> +repeatedly building the source package for the build architecture on
> +any machine of the host architecture with those versions of the build
> +dependencies installed and exactly those environment variable values
> +set will produce bit-for-bit identical binary packages.
> +
> +It is recommended that packages produce bit-for-bit identical binaries
> +even if most environment variables and build paths are varied. It is
> +intended for this stricter standard to replace the above when it is
> +easier for packages to meet it.
> +
> .. [#]
> See the file ``upgrading-checklist`` for information about policy
> which has changed between different versions of this document.
> @@ -790,3 +812,7 @@ generate different binary packages).
> often creates either static linking or shared library conflicts, and,
> most importantly, increases the difficulty of handling security
> vulnerabilities in the duplicated code.
> +
> +.. [#]
> + This is Debian's precisification of the `reproducible-builds.org
> + definition <https://reproducible-builds.org/docs/definition/>`_.
>
>
Thanks! Seconded.
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the Reproducible-builds
mailing list