Bug#844431: Revised patch: Oppose

Wed Aug 16 15:26:03 UTC 2017

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Sat, Aug 12, 2017 at 03:34:35PM -0700, Sean Whitton wrote:
>...
> diff --git a/policy/ch-source.rst b/policy/ch-source.rst
> index 127b125..6e32870 100644
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -661,6 +661,28 @@ particularly complex or unintuitive source layout or build system (for
>  example, a package that builds the same source multiple times to
>  generate different binary packages).
>  
> +Reproducibility
> +---------------
> +
> +Packages should build reproducibly, which for the purposes of this
> +document [#]_ means that given
> +
> +- a version of a source package unpacked at a given path;
> +- a set of versions of installed build dependencies;
> +- a set of environment variable values;
> +- a build architecture; and
> +- a host architecture,
> +
> +repeatedly building the source package for the build architecture on
> +any machine of the host architecture with those versions of the build
> +dependencies installed and exactly those environment variable values
> +set will produce bit-for-bit identical binary packages.
> +
> +It is recommended that packages produce bit-for-bit identical binaries
> +even if most environment variables and build paths are varied.  It is
> +intended for this stricter standard to replace the above when it is
> +easier for packages to meet it.
> +
>  .. [#]
>     See the file ``upgrading-checklist`` for information about policy
>     which has changed between different versions of this document.
> @@ -790,3 +812,7 @@ generate different binary packages).
>     often creates either static linking or shared library conflicts, and,
>     most importantly, increases the difficulty of handling security
>     vulnerabilities in the duplicated code.
> +
> +.. [#]
> +   This is Debian's precisification of the `reproducible-builds.org
> +   definition <https://reproducible-builds.org/docs/definition/>`_.

I hereby oppose the addition of this to policy.

It is not true that this would be "Debian's precisification"
of reproducible builds. 

The definition does not match any past, present or future practice in Debian.

Including the people who want this change to policy, there seems to be 
noone intending to use this definition of reproducibility.

Adding this to policy would do more harm than good.

E.g. tracker.d.o saying "Does not build reproducibly during testing" 
based on a definition of reproducibility that is quite different from 
the official "Debian precisification" would only create confusion.

> Sean Whitton

cu
Adrian

- -- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAlmUZAsACgkQiNJCh6LY
mLG9RhAAjr0dgpxSv9lnqM3+4AR3JeWwTaj9J118Efsr4qmSbgK9gE3HE3bL7zXG
OJHE5AqGZidx/Oyw/+TVLq3cHEi+6WfgJcwNzFeRAa7fAv+BKSJJ4T9dhOBYvmfs
YN/BfIhU8j4bQppVFtsduprdxooBx9bHWO/lFzCLl/cZOZ7RPOCya7iXcgEgWuA2
SAo96bcDeL3h5I/qM7fBLcm4Yvca219u8RoD7HqQNcmEI53CKS5qIW1cy0wkNbUy
Pqgovee2GpW7WkgqdG92E770/m2tcxdQQywVf5IeLHiSfJ0VP9dGFOoQCsnXZgvg
4GGstXzTJ2OEKMQ2QK1938Tne0S1WIG5o2zLEzOpHqw11Z9TsRg94CRm0/f/tfNt
ym35/N3qNdjERzozTQckbz4ZKCyLKJU3AIxGOH1U1caIjSNBbWY+nGAu62SzY9fb
IVdmKBkqL+c0MT4AW4yRUjFQ/EZYQNkWrh9USPAlgtWdIfjP4ERJ+60RJcRSgYvz
cJJw8DfDKYTNI6sgu0W++rhv89J4eAFdBKDmBazO5gLnFYBacgrFXW9HvwkxCcSZ
WJUlcuEalDpZrtPKGYO5arQp/vWWqXsVBzZeUphi6UbUjmCw+1M4emJh9Zk41jU3
BeTKcjh/hr0tihUvXhZKAJ85HmSkVLjPqZfY/DNiDecr9q+ZdvQ=
=i6V/
-----END PGP SIGNATURE-----