Re: Building Debian source packages reproducibly (was: Re: [RFC] Proposal for new source format)
On Mon, Oct 28, 2019 at 10:05:11AM +0100, Didier 'OdyX' Raboud wrote:
> Where I'm coming from is that we were discussing the tag2upload problem at
> miniDebConf Vaumarcus. The heart of the problem is that FTP-Master are
> (currently) not going to accept .dscs built reproducibly by a (even trusted)
> service. tag2upload is built on the idea that a signed git tag is the only
> needed thing (`git tag -s`) to trigger an upload, and that is not going to fly
Ah, now I understand the problem you're trying to solve; thanks for
What are FTP Master's objections? Given that they *do* accept a
source-only upload, which is just a signed dsc plus the source/debian
tarballs, I would presume all that would be necessary is (a)
demonstate that we have tools which can reliably translate between a
git commit and the dsc plus source tarball, and (b) that the git tree
is stored in Debian project infrastructure so we can be assured that
it can be stored with the same level of assurance as where we store
the source tar files.
Do they have other concerns? If so, what are they? I would be
surprised that it has anything at all to do with reliable builds,
given the acceptance of source-only uploads today.
> The hard part is not the packing and unpacking of the special tag; that's
> mostly just strings massaging. But building the exact same source package in
> different environments is harder than I expected.
Is there more than just (a) making sure the package can be built
reproducibly in the first place, and (b) the information in the
Of course, the big problem is that not all packages are currently set
up to be reproducibly built; for example if you try to compile using
Link Optimization (LTO), you're completely out of luck. (I've since
dropped use of LTO to deal with this issue.)
But if it *is* reproducibly buildable, are there case where setting up
a build environment using the information in buildinfo not enough?