[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Reproducible Builds — proof of concept successful for 83% of all sources in main

Hi *,

We are happy to report on the status of the “Reproducible Builds”
project [WIKI]. In short, reproducible builds are about enabling anyone
to independently confirm that a given binary .deb was built from some
specified source .dsc.


We have been making great progress recently; after more than a year of
work, we are proud to announce that we found 83.5% of all source
packages in sid main can be rebuilt reproducibly!

A more verbose summary can be read in the interview given for the latest
FOSDEM [INTERVIEW] — this interview was team work, even though it
doesn't look like it. ;-)

The current result has mostly been achieved via experimental changes in
toolchain packages available from a dedicated repository [TOOLCHAIN].

So far, more than 2,000 “unreproducible” packages have been
investigated [NOTES]. Several core (e.g. linux) and other packages have
already received patches to make them build reproducibly. A summary of
the most common issues is available [ISSUES].


debbindiff [DEBBINDIFF] has been written to provide in-depth detailed
diffs of binary packages.

Several jobs running on jenkins.debian.net continuously rebuild all
packages in unstable twice [JENKINS]. The second build environment
differs in (wall-clock) time, file ordering, CPU ordering, hostname,
username/uid, groupname/gid, and locale.  The binaries are compared
using debbindiff and the results are easily browseable [REPRODUCIBLE].

The “reproducibility” status has been integrated into
tracker.debian.org [TRACKER], the Developer's Package Overview [DDPO]
and the Maintainer Dashboard [DMD].

For more details on what has been done and also tried in the past,
please refer to the project history [HISTORY].

Bug filing with patches

We have started to propose patches to make packages build reproducibly
and tagged them with appropriate usertags and the user
<reproducible-builds@lists.alioth.debian.org> [BUGS].

And the number [GRAPH] got quite high quite fast. As more than 400 have
already been sent, please consider this email as an overdue announcement
for the mass bug filing.


If you want to help, a first step is to check the reproducibility of
your packages [DDLIST]. Feel free to ask for help on the
<reproducible-builds@lists.alioth.debian.org> mailing list or in
#debian-reproducible on irc.debian.org.

Reproducible builds for Debian are still in the design-phase, the work
is not finished by far.  To give one (important) example: we are still
looking to find the best approach for integration within the archive.
But there is more work to do, the project has a large scope and touches
all areas of Debian. Many small and greater things remain to be
done [CONTRIBUTE]. You are most welcome to join the fun!

Further discussion

Last but not least: given the amazing progress, we feel reproducible
builds could become a release goal for Stretch (Jessie+1) — and some
even think it should! We will submit a proper proposal after Jessie is

Until then, we would like to invite you to discuss the reproducible
builds project at large by following up to
<debian-devel@lists.debian.org> — just please keep our mailing list
<reproducible-builds@lists.alioth.debian.org> cc'ed for those who are
not subscribed to debian-devel@l.d.o.

    yours sincerely,
      for the Debian reproducible builds team,
        Andrew Ayer
        Chris Lamb
        Chris West
        Christoph Berg
        Holger Levsen
        Mattia Rizzolo
        Reiner Herrmann
        Ximin Luo

          [WIKI]: https://wiki.debian.org/ReproducibleBuilds
     [INTERVIEW]: https://fosdem.org/2015/interviews/2015-holger-levsen/
     [TOOLCHAIN]: https://wiki.debian.org/ReproducibleBuilds/ExperimentalToolchain
        [ISSUES]: https://reproducible.debian.net/index_issues.html
       [JENKINS]: https://jenkins.debian.net/view/reproducible/
         [NOTES]: https://reproducible.debian.net/index_notes.html
    [DEBBINDIFF]: https://packages.debian.org/sid/debbindiff
  [REPRODUCIBLE]: https://reproducible.debian.net/
       [TRACKER]: https://tracker.debian.org/
          [DDPO]: https://qa.debian.org/developer.php
           [DMD]: https://udd.debian.org/dmd/
       [HISTORY]: https://wiki.debian.org/ReproducibleBuilds/History
          [BUGS]: http://deb.li/3oX61
         [GRAPH]: https://reproducible.debian.net/stats_bugs.png
        [DDLIST]: https://reproducible.debian.net/index_dd-list.html
    [CONTRIBUTE]: https://wiki.debian.org/ReproducibleBuilds/Contribute

Attachment: signature.asc
Description: Digital signature

Reply to: