Debian unstable (and more) rep-bui problems (Was: Re: Rant about Debian reproducibility environment)

[Arnout Engelen]

>  |  outcome on two different build hosts, unless the actual build
>  |  environment is the same to the detail.

The goal of Reproducible Builds is to increase our confidence that
no malware was injected into the artifact during the build process.

To achieve this, we build from source on different
machines and check whether the result is the same.

There is a tension between 2 concerns here: on the one hand, you
want those machines to be as diverse as possible: the larger
the difference between the machines, the higher your confidence in
the absence of foul play (since an attacker would have to find a way
to impact all those variations in machines).
On the other hand, of course it is unreasonable to expect the same
results on machines that are too wildly different.

Which differences a build procedure should be resistant against
to be considered 'reproducible' is not always clear-cut. I understand
this can be frustrating when apparently previously the Debian
rebuilders didn't exercise a certain difference while now they do.
On the other hand, just the fact that this was constant before
doesn't immediately mean this is a defect in the rebuilding
infrastructure, either.

So the question is whether it is reasonable to require all builders
to have identical MAKEFLAGS. There are definitely things in the
MAKEFLAGS that I wouldn't expect to influence the resulting
artefact, such as the build parallelism. On the other hand,
of course it is entirely reasonable for application-level configuration
flags to change the output, and making those appear in the output
of something like "mailx -v -Xversion -Xx" sounds legitimate to
me as well.

Would there be any way keep only the 'application-level' options
from the MAKEFLAGS but leave the 'build-level' options out?
(you mention 'test1/ and test2/ or so', but I'm not sure what
exactly what's going on there).


Kind regards,

Arnout