control: user debian-policy@packages.debian.org
control: usertag = normative proposal
Hello,
==== Proposal: ====
This is what Holger and I think we should add to Policy, after
readability tweaks:
Packages should build reproducibly, which for purposes of this
document means that given
- a version of a source package unpacked at a given path;
- a set of versions of installed build-dependencies; and
- a build architecture,
repeatedly building the source package on the architecture with those
versions of the build dependencies installed will produce bit-for-bit
identical binary packages.
==== Explanation: ====
The definition from the reproducible builds group[1] says:
A build is reproducible if given the same source code, build
environment and build instructions, any party can recreate
bit-by-bit identical copies of all specified artifacts.
The relevant attributes of the build environment, the build
instructions and the source code as well as the expected
reproducible artifacts are defined by ... distributors.
i.e. Debian has to define the build environment, source code and build
instructions. I think that my wording defines these as Debian currently
understands them.
Later, we could narrow the definition of build environment by adding
more constraints, but we're not there yet.
[1] https://reproducible-builds.org/docs/definition/
--
Sean Whitton
Attachment:
signature.asc
Description: PGP signature