Bug#844431: Revised patch: seeking seconds

Ximin Luo infinity0 at debian.org
Wed Aug 16 16:34:00 UTC 2017

Adrian Bunk:
> On Wed, Aug 16, 2017 at 03:43:00PM +0000, Ximin Luo wrote:
>> Adrian Bunk:
>>> On Wed, Aug 16, 2017 at 11:37:00AM +0000, Ximin Luo wrote:
>>>> [..]
>>>> Fair enough. I actually spotted that but thought it was better to get "something" into Policy rather than nitpick. I guess other people were thinking similar things. Well, lesson learnt, I will be more forceful next time.
>>>> ...
>>> What is the point of getting "something" into policy, when it is known 
>>> to not match existing practice and that what is being added to policy 
>>> will be ignored by everyone?
>>>> The sentence I amended said "most environment variables" so our intent is clear.
>>>> ...
>>> This is not about "intent", this is about giving an exact definition
>>> of reproducibility for Debian.
>>> The definition should then match what is recorded in .buildinfo
>>> and what the reproducible builds infrastructure is testing.
>> The exact wording that was added, was a too-loose requirement. I'm now proposing to make the requirement more strict, in accordance with the tests that we're running. Do you have any comments on my proposal?
>> ...
> Will both dpkg-genbuildinfo and the reproducible builds infrastructure 
> implement this definition?
> Any definition is fine for me as long as it will match what is actually 
> being done.[1]
> [1] not excluding future changes, but at the time the policy will be 
>     published it should match reality

dpkg-genbuildinfo isn't about testing reproducibility, it's about recording the build environment: https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles#Semantics

"A buildinfo file is a record of what a particular builder did to build some binary output.

It contains as much information about the build environment as is reasonable to distribute, and attempts to include all information needed to reproduce that build.

It does NOT imply that everything contained within "should" be necessary to reproduce the build. [..]"

AIUI, the tests.reproducible-builds.org infrastructure does already include what I suggested to be added. That is, it doesn't report "unreproducible" if varying those reserved variables, would change the binary hash. It could be a bit clearer in the UI on which suites vary the build-path however, that is an improvement to be made. For buster (where the build-path is not varied) then an "unreproducible" status would mean it's not meeting the definition (that includes my addition of these "reserved variables").

It is true that we might report "reproducible" even if the output varies based on the envvar UNIQUERANDOMENVVAR, because we don't explicitly vary that. But a lot of other QA-related tests in Debian would give "good" results even for "bad" packages that are bad in a very esoteric way. It's the intent that matters, and I think that's captured well in the policy, especially with my proposed newer wording, and also in the practical tests that we're already running.


GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE

More information about the Reproducible-builds mailing list