Bug#844431: Revised patch: Oppose
bunk at stusta.de
Wed Aug 16 15:26:03 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, Aug 12, 2017 at 03:34:35PM -0700, Sean Whitton wrote:
> diff --git a/policy/ch-source.rst b/policy/ch-source.rst
> index 127b125..6e32870 100644
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -661,6 +661,28 @@ particularly complex or unintuitive source layout or build system (for
> example, a package that builds the same source multiple times to
> generate different binary packages).
> +Packages should build reproducibly, which for the purposes of this
> +document [#]_ means that given
> +- a version of a source package unpacked at a given path;
> +- a set of versions of installed build dependencies;
> +- a set of environment variable values;
> +- a build architecture; and
> +- a host architecture,
> +repeatedly building the source package for the build architecture on
> +any machine of the host architecture with those versions of the build
> +dependencies installed and exactly those environment variable values
> +set will produce bit-for-bit identical binary packages.
> +It is recommended that packages produce bit-for-bit identical binaries
> +even if most environment variables and build paths are varied. It is
> +intended for this stricter standard to replace the above when it is
> +easier for packages to meet it.
> .. [#]
> See the file ``upgrading-checklist`` for information about policy
> which has changed between different versions of this document.
> @@ -790,3 +812,7 @@ generate different binary packages).
> often creates either static linking or shared library conflicts, and,
> most importantly, increases the difficulty of handling security
> vulnerabilities in the duplicated code.
> +.. [#]
> + This is Debian's precisification of the `reproducible-builds.org
> + definition <https://reproducible-builds.org/docs/definition/>`_.
I hereby oppose the addition of this to policy.
It is not true that this would be "Debian's precisification"
of reproducible builds.
The definition does not match any past, present or future practice in Debian.
Including the people who want this change to policy, there seems to be
noone intending to use this definition of reproducibility.
Adding this to policy would do more harm than good.
E.g. tracker.d.o saying "Does not build reproducibly during testing"
based on a definition of reproducibility that is quite different from
the official "Debian precisification" would only create confusion.
> Sean Whitton
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Reproducible-builds