[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Moving towards a deb-buildinfo(5) Format 1.0

On Sun 2016-11-13 22:33:29 +0900, Chris Lamb wrote:

>> Multiple builds of the same source package will set SOURCE_DATE_EPOCH to
>> the same value but will result in a different Build-Date.
> … but that would mean that a reproducible build will result in .buildinfo
> files with different contents (varying on Build-Date).
> That seems, at the very least, somewhat non-intuitive to me.

It is definitely not what most of us initially expected, but it is
actually what we want.

i look at it this way:

 * Ideally, the generated binary packages are reproducible *even when
   the build environment changes*.  For example, I build a package as
   the user "dkg" on machine "alice" in path /home/dkg/src/foo, and you
   build it as "lamby" on machine "bob" in path
   /home/lamby/work/foo/foo, and we should get the same outcome.

 * The buildinfo file documents things that *might* influence the build,
   but it also documents things that *should not* influence the build.
   Two differing buildinfo files that produced the same output
   effectively say "even when the build environment varies in the way
   that these two do, the package is still reproducible"

 * We actually don't want people to have to replicate the exact build
   environment to get a binary match.  I think it was Ximin who pointed
   out: "all software is reproducible if you create an exact
   atom-by-atom copy of the original build computer before building".
   But that's not what we really mean by reproducible builds.

In short, we *want* buildinfos to vary, while we want the generated
binary artifacts to be reproducible.


Attachment: signature.asc
Description: PGP signature

Reply to: