Reproducible Builds — proof of concept successful for 83% of all sources in main

To: debian-devel-announce@lists.debian.org

Cc: reproducible-builds@lists.alioth.debian.org

Subject: Reproducible Builds — proof of concept successful for 83% of all sources in main

From: Reproducible builds folks <reproducible-builds@lists.alioth.debian.org>

Date: Fri, 13 Feb 2015 18:28:42 +0100

Message-id: <[🔎] 20150213172842.GB688@loar>

Mail-followup-to: reproducible-builds@lists.alioth.debian.org, debian-devel@lists.debian.org

Hi *, We are happy to report on the status of the “Reproducible Builds” project [WIKI]. In short, reproducible builds are about enabling anyone to independently confirm that a given binary .deb was built from some specified source .dsc. Progress ======== We have been making great progress recently; after more than a year of work, we are proud to announce that we found 83.5% of all source packages in sid main can be rebuilt reproducibly! A more verbose summary can be read in the interview given for the latest FOSDEM [INTERVIEW] — this interview was team work, even though it doesn't look like it. ;-) The current result has mostly been achieved via experimental changes in toolchain packages available from a dedicated repository [TOOLCHAIN]. So far, more than 2,000 “unreproducible” packages have been investigated [NOTES]. Several core (e.g. linux) and other packages have already received patches to make them build reproducibly. A summary of the most common issues is available [ISSUES]. Tools ===== debbindiff [DEBBINDIFF] has been written to provide in-depth detailed diffs of binary packages. Several jobs running on jenkins.debian.net continuously rebuild all packages in unstable twice [JENKINS]. The second build environment differs in (wall-clock) time, file ordering, CPU ordering, hostname, username/uid, groupname/gid, and locale. The binaries are compared using debbindiff and the results are easily browseable [REPRODUCIBLE]. The “reproducibility” status has been integrated into tracker.debian.org [TRACKER], the Developer's Package Overview [DDPO] and the Maintainer Dashboard [DMD]. For more details on what has been done and also tried in the past, please refer to the project history [HISTORY]. Bug filing with patches ======================= We have started to propose patches to make packages build reproducibly and tagged them with appropriate usertags and the user <reproducible-builds@lists.alioth.debian.org> [BUGS]. And the number [GRAPH] got quite high quite fast. As more than 400 have already been sent, please consider this email as an overdue announcement for the mass bug filing. Contribute ========== If you want to help, a first step is to check the reproducibility of your packages [DDLIST]. Feel free to ask for help on the <reproducible-builds@lists.alioth.debian.org> mailing list or in #debian-reproducible on irc.debian.org. Reproducible builds for Debian are still in the design-phase, the work is not finished by far. To give one (important) example: we are still looking to find the best approach for integration within the archive. But there is more work to do, the project has a large scope and touches all areas of Debian. Many small and greater things remain to be done [CONTRIBUTE]. You are most welcome to join the fun! Further discussion ================== Last but not least: given the amazing progress, we feel reproducible builds could become a release goal for Stretch (Jessie+1) — and some even think it should! We will submit a proper proposal after Jessie is out. Until then, we would like to invite you to discuss the reproducible builds project at large by following up to <debian-devel@lists.debian.org> — just please keep our mailing list <reproducible-builds@lists.alioth.debian.org> cc'ed for those who are not subscribed to debian-devel@l.d.o. yours sincerely, for the Debian reproducible builds team, Andrew Ayer Chris Lamb Chris West Christoph Berg Holger Levsen Lunar Mattia Rizzolo Reiner Herrmann Ximin Luo [WIKI]: https://wiki.debian.org/ReproducibleBuilds [INTERVIEW]: https://fosdem.org/2015/interviews/2015-holger-levsen/ [TOOLCHAIN]: https://wiki.debian.org/ReproducibleBuilds/ExperimentalToolchain [ISSUES]: https://reproducible.debian.net/index_issues.html [JENKINS]: https://jenkins.debian.net/view/reproducible/ [NOTES]: https://reproducible.debian.net/index_notes.html [DEBBINDIFF]: https://packages.debian.org/sid/debbindiff [REPRODUCIBLE]: https://reproducible.debian.net/ [TRACKER]: https://tracker.debian.org/ [DDPO]: https://qa.debian.org/developer.php [DMD]: https://udd.debian.org/dmd/ [HISTORY]: https://wiki.debian.org/ReproducibleBuilds/History [BUGS]: http://deb.li/3oX61 [GRAPH]: https://reproducible.debian.net/stats_bugs.png [DDLIST]: https://reproducible.debian.net/index_dd-list.html [CONTRIBUTE]: https://wiki.debian.org/ReproducibleBuilds/Contribute