Proposal for making Multi-Arch:same binNMU-safe
Helmut Grohne
helmut at subdivi.de
Thu Apr 16 10:32:15 BST 2026
Hi Philipp,
On Thu, Apr 16, 2026 at 11:21:53AM +0200, Philipp Kern wrote:
> IIUC we are already doing a transformation of both packages before they are
> being compared, right? Out of curiosity: How much does it actually buy us to
> choose to care about the timestamps here?
No. The point of reproducible builds is to fully reproduce the .deb file
in a rebuild up to every single bit. There is no transformation being
performed prior to comparison. diffoscope does dig into the .deb files
and tell you about the origin of differences, but that's a diagnostic
tool and it is not recommended to run diffoscope on untrusted input.
Thanks to the work of the reproducible builds folks we can reproduce
(i.e. rebuild and get the exact same .deb files) for more than 98% of
packages in forky. (See https://reproduce.debian.net/)
Dropping the timestamp clamping would instantly get us to 0%. As much as
I would like to fix coinstallability, that is not a sensible trade.
Helmut
More information about the Reproducible-builds
mailing list