Debian Bug report logs - #844431

debian-policy: Packages should be reproducible

Reported by: Chris Lamb <lamby@debian.org> Date: Tue, 15 Nov 2016 17:30:01 UTC Owned by: Sean Whitton <spwhitton@spwhitton.name> Severity: normal Found in version debian-policy/3.9.8.0 Fixed in version debian-policy/4.1.0.0 Done: Sean Whitton <spwhitton@spwhitton.name> Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-builds@lists.alioth.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Tue, 15 Nov 2016 17:30:04 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org> :

New Bug report received and forwarded. Copy sent to reproducible-builds@lists.alioth.debian.org, Debian Policy List <debian-policy@lists.debian.org> . (Tue, 15 Nov 2016 17:30:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org> To: submit@bugs.debian.org Subject: Packages should be reproducible Date: Tue, 15 Nov 2016 17:27:44 +0000

Package: debian-policy Version: 3.9.8.0 X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org Dear Policy maintainers, Whilst anyone can inspect the source code in Debian for malicious flaws, we distribute pre-compiled to end users. The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. Debian has been making great strides to make itself reproducible, contributing 100s patches, not only within Debian itself but also to upstream projects. We have also been running a comprehensive and non- trivial CI framework to test for reproducibility of packages for quite some time. However, the recent arrival of the final pieces of the toolchain into unstable encourages me to propose that we add a recommendation that packages in Debian should be reproducible. This would be act both as documentation of a modern best practice, but also act as a "placeholder" so that we can increase its severity at some future date. [As a mild suggestion to streamline this; we should probably come to some consensus on principle of this addition to Policy first and only then move to the more difficult topic of defining exactly what reproducibility means in a technical sense.] Regards, -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `-

Changed Bug title to 'debian-policy: Packages should be reproducible' from 'Packages should be reproducible'. Request was from Holger Levsen <holger@layer-acht.org> to control@bugs.debian.org . (Tue, 15 Nov 2016 17:57:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Tue, 15 Nov 2016 19:45:02 GMT) (full text, mbox, link).

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Tue, 15 Nov 2016 19:45:02 GMT) (full text, mbox, link).

Message #12 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Henrique de Moraes Holschuh <hmh@debian.org> To: Chris Lamb <lamby@debian.org>, 844431@bugs.debian.org Subject: Re: Bug#844431: Packages should be reproducible Date: Tue, 15 Nov 2016 17:40:58 -0200

On Tue, 15 Nov 2016, Chris Lamb wrote: > [As a mild suggestion to streamline this; we should probably come to some > consensus on principle of this addition to Policy first and only then > move to the more difficult topic of defining exactly what reproducibility > means in a technical sense.] I don't think there will be much of a contention about this. Please propose wording (i.e. the diff to the policy text), but I recommend that you do *not* use "should" or "must" to make such reproducibility mandatory right now, only to define stuff like "*if* it is built for reproducibility, it must do so in such a way that...", etc. Enforcing package reproducibility (should/must in policy) has to wait until a majority of the package is effectively being reproducibly built for a small while (to shaken up any issues), and the tooling echosystem is complete so that it is actually usable to verify things. IMHO, this would be best done only after stretch is released, even if we reach >85% reproducibility levels *and* a full, working toolset before that. As a suggestion, since a "may build reproducibly" policy is not going to give the readers the desired idea, the policy text proposal could use words to the effect that "it is recommended that", and "in the future, this will become a requirement". Any packages that absolutely cannot be built in a reproducible way[1], can become oficially allowed exceptions -- and we could likely teach the verification tools that specific regions of a package/file are to be random, and ignore those when comparing for reproducibility, too. But this would be tackled on in the future, between an already implemented policy of SHOULD is out, and >95% of the packages are being built reproducibly and policy is about to be changed to MUST. Therefore, the initial proposal just needs to acknowledge that this fact could happen and will be dealt with in time. [1] Such as random noise added to kernel and firmware data structures during local builds, to be used as a last defense to avoid the *herd using same keys* effects, etc. -- Henrique Holschuh

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Thu, 17 Nov 2016 14:30:10 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Thu, 17 Nov 2016 14:30:10 GMT) (full text, mbox, link).

Message #17 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org> To: Henrique de Moraes Holschuh <hmh@debian.org>, 844431@bugs.debian.org Subject: Re: Bug#844431: Packages should be reproducible Date: Thu, 17 Nov 2016 12:30:44 +0100

Henrique de Moraes Holschuh wrote: > I don't think there will be much of a contention about this. Great :) > Please propose wording (i.e. the diff to the policy text), but > I recommend that you do *not* use "should" or "must" to make such > reproducibility mandatory right now. Completely agreed. Any requirement would be counter-productive and ultimately premature at this stage. I've attached an initial wording to get us going. I'm not 100% convinced with it myself but it should help start any discussion in this area. Regards, -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `-

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 07 May 2017 15:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 07 May 2017 15:39:03 GMT) (full text, mbox, link).

Message #22 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: 844431@bugs.debian.org Cc: Reproducible Builds discussion list <reproducible-builds@lists.alioth.debian.org> Subject: policy: packages should be reproducible Date: Sun, 7 May 2017 15:35:00 +0000

hi, unsurprisingly I'm also in favor of making this policy change, now. I also believe there is quite a consensus (definitly a rough one…) in Debian for making this change, judging by the feedback we got at 3 DebConfs since 2013, several mini Debconfs and other events, plus the general feedback in the form of code merges and uploads. At the Reproducible Builds Hackathon in Hamburg we were reminded of the former DPL asking DDs to be "more bold" doing sensible changes forward, and as such we plan that starting with the development phase of "buster" we'll consider bugs about reproducible builds issues to be of severity "normal", not "wishlist". This shall be announced on d-d-a soon & given there is no disagrement on this procedure on this bug. Last and least for now: the wording of https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=844431;filename=debian-policy.diff.txt;msg=17 IMO is almost good as it is, though I'll try to amend it to include the definition of reproducible builds from reproducible-builds.org. -- cheers, Holger

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 07 May 2017 17:18:03 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 07 May 2017 17:18:03 GMT) (full text, mbox, link).

Message #27 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org> To: Holger Levsen <holger@layer-acht.org>, 844431@bugs.debian.org Cc: Reproducible Builds discussion list <reproducible-builds@lists.alioth.debian.org> Subject: Re: policy: packages should be reproducible Date: Sun, 07 May 2017 18:15:38 +0100

Hi Holger, > unsurprisingly I'm also in favor of making this policy change, now. Actually, yes, why were we waiting for stretch to be released? :) > Last and least for now: the wording of > https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=844431;filename=debian-policy.diff.txt;msg=17 > IMO is almost good as it is, though I'll try to amend it to include the > definition of reproducible builds from reproducible-builds.org. That seems the next concrete step. Regards, -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `-

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 07 May 2017 20:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Shahaf <danielsh@apache.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 07 May 2017 20:57:04 GMT) (full text, mbox, link).

Message #32 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Daniel Shahaf <danielsh@apache.org> To: 844431@bugs.debian.org Subject: Re: Bug#844431: Packages should be reproducible Date: Sun, 7 May 2017 20:54:16 +0000

Chris Lamb wrote on Thu, Nov 17, 2016 at 12:30:44 +0100: > +++ b/policy.sgml > @@ -2503,6 +2503,20 @@ endif > + <sect id="readmesource"> Note that the id should be changed before applying, since there already is a sect with this id value.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Thu, 11 May 2017 12:57:02 GMT) (full text, mbox, link).

Acknowledgement sent to Bill Allombert <ballombe@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Thu, 11 May 2017 12:57:02 GMT) (full text, mbox, link).

Message #37 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <ballombe@debian.org> To: Holger Levsen <holger@layer-acht.org>, 844431@bugs.debian.org Subject: Re: Bug#844431: policy: packages should be reproducible Date: Thu, 11 May 2017 14:42:43 +0200

On Sun, May 07, 2017 at 03:35:00PM +0000, Holger Levsen wrote: > hi, > > unsurprisingly I'm also in favor of making this policy change, now. > > I also believe there is quite a consensus (definitly a rough one…) in Debian > for making this change, judging by the feedback we got at 3 DebConfs since 2013, > several mini Debconfs and other events, plus the general feedback in the form > of code merges and uploads. > > At the Reproducible Builds Hackathon in Hamburg we were reminded of the former > DPL asking DDs to be "more bold" doing sensible changes forward, and as such > we plan that starting with the development phase of "buster" we'll consider > bugs about reproducible builds issues to be of severity "normal", not "wishlist". I really think there should be an official tool to do build packages reproducibly with an interface like cowbuilder. Currently, there are too much uncertainty about the process for bug reports to be of severity normal. Cheers, -- Bill. <ballombe@debian.org> Imagine a large red swirl here.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 14 May 2017 14:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 14 May 2017 14:39:06 GMT) (full text, mbox, link).

Message #42 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: Bill Allombert <ballombe@debian.org> Cc: 844431@bugs.debian.org Subject: Re: Bug#844431: policy: packages should be reproducible Date: Sun, 14 May 2017 14:36:46 +0000

On Thu, May 11, 2017 at 02:42:43PM +0200, Bill Allombert wrote: > I really think there should be an official tool to do build packages > reproducibly with an interface like cowbuilder. the official tool to build packages reproducible in sid is called "dpkg-buildpackage" (since dpkg 1.18.16 in sid since 2016-12-17). -- cheers, Holger

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 14 May 2017 14:54:05 GMT) (full text, mbox, link).

Acknowledgement sent to Bill Allombert <ballombe@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 14 May 2017 14:54:05 GMT) (full text, mbox, link).

Message #47 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <ballombe@debian.org> To: Holger Levsen <holger@layer-acht.org> Cc: 844431@bugs.debian.org Subject: Re: Bug#844431: policy: packages should be reproducible Date: Sun, 14 May 2017 16:51:47 +0200

On Sun, May 14, 2017 at 02:36:46PM +0000, Holger Levsen wrote: > On Thu, May 11, 2017 at 02:42:43PM +0200, Bill Allombert wrote: > > I really think there should be an official tool to do build packages > > reproducibly with an interface like cowbuilder. > > the official tool to build packages reproducible in sid is called > "dpkg-buildpackage" (since dpkg 1.18.16 in sid since 2016-12-17). So if your package builds with "dpkg-buildpackage" then the build is reproducible and any bug report to the contrary is in error ? Cheers, -- Bill. <ballombe@debian.org> Imagine a large red swirl here.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 14 May 2017 15:03:05 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 14 May 2017 15:03:05 GMT) (full text, mbox, link).

Message #52 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: Bill Allombert <ballombe@debian.org> Cc: 844431@bugs.debian.org Subject: Re: Bug#844431: policy: packages should be reproducible Date: Sun, 14 May 2017 14:58:27 +0000

On Sun, May 14, 2017 at 04:51:47PM +0200, Bill Allombert wrote: > > the official tool to build packages reproducible in sid is called > > "dpkg-buildpackage" (since dpkg 1.18.16 in sid since 2016-12-17). > So if your package builds with "dpkg-buildpackage" then the build is > reproducible and any bug report to the contrary is in error ? almost. 93% of the packages in stretch today can be re-build bit by bit identically. that's why we're now aiming at "packages should be reproducible" and not for "must be reproducible"… (but plan to later aim for "must be"). -- cheers, Holger

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 14 May 2017 15:06:08 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 14 May 2017 15:06:08 GMT) (full text, mbox, link).

Message #57 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: Chris Lamb <lamby@debian.org> Cc: 844431@bugs.debian.org, Reproducible Builds discussion list <reproducible-builds@lists.alioth.debian.org> Subject: Re: policy: packages should be reproducible Date: Sun, 14 May 2017 15:04:40 +0000

On Sun, May 07, 2017 at 06:15:38PM +0100, Chris Lamb wrote: > > unsurprisingly I'm also in favor of making this policy change, now. > Actually, yes, why were we waiting for stretch to be released? :) good question. I guess because of a mental barrier against doing changes targeted post-stretch now :) > > Last and least for now: the wording of > > https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=844431;filename=debian-policy.diff.txt;msg=17 > > IMO is almost good as it is, though I'll try to amend it to include the > > definition of reproducible builds from reproducible-builds.org. > That seems the next concrete step. indeed! Will see to work on this the next days… -- cheers, Holger

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 14 May 2017 15:06:13 GMT) (full text, mbox, link).

Acknowledgement sent to Bill Allombert <ballombe@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 14 May 2017 15:06:13 GMT) (full text, mbox, link).

Message #62 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <ballombe@debian.org> To: Holger Levsen <holger@layer-acht.org> Cc: 844431@bugs.debian.org Subject: Re: Bug#844431: policy: packages should be reproducible Date: Sun, 14 May 2017 17:05:36 +0200

On Sun, May 14, 2017 at 02:58:27PM +0000, Holger Levsen wrote: > On Sun, May 14, 2017 at 04:51:47PM +0200, Bill Allombert wrote: > > > the official tool to build packages reproducible in sid is called > > > "dpkg-buildpackage" (since dpkg 1.18.16 in sid since 2016-12-17). > > So if your package builds with "dpkg-buildpackage" then the build is > > reproducible and any bug report to the contrary is in error ? > > almost. 93% of the packages in stretch today can be re-build bit by bit > identically. OK, but how can I check that my package build is reproducible before uploading it ? Cheers, -- Bill. <ballombe@debian.org> Imagine a large red swirl here.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 14 May 2017 15:24:02 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 14 May 2017 15:24:02 GMT) (full text, mbox, link).

Message #67 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: Bill Allombert <ballombe@debian.org> Cc: 844431@bugs.debian.org Subject: Re: Bug#844431: policy: packages should be reproducible Date: Sun, 14 May 2017 15:20:54 +0000

On Sun, May 14, 2017 at 05:05:36PM +0200, Bill Allombert wrote: > OK, but how can I check that my package build is reproducible before uploading > it ? in general you cannot find out with 100% certainity whether a given source package will be reproducible. You can only find out with certainity if a package is *not* reproducible… that said a.) go to http://reproducible.debian.net/$srcpkg and see if its reproducible today. Bill, did you do this for your packages? And then there is also https://tests.reproducible-builds.org/debian/unstable/index_dd-list.html#ballombe@debian.org which shows that half of your 26 packages in sid (main) are unreproducible with build path variation, though most of those unreproducible ones are reproducible without build path variation… -> https://tests.reproducible-builds.org/debian/testing/index_dd-list.html#ballombe@debian.org only shows 4 unreproducible packages… b.) build it twice and compare using diffoscope c.) use reprotest -- cheers, Holger

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 14 May 2017 20:00:10 GMT) (full text, mbox, link).

Acknowledgement sent to Guillem Jover <guillem@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 14 May 2017 20:00:10 GMT) (full text, mbox, link).

Message #72 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org> To: Holger Levsen <holger@layer-acht.org>, 844431@bugs.debian.org Cc: Bill Allombert <ballombe@debian.org> Subject: Re: Bug#844431: policy: packages should be reproducible Date: Sun, 14 May 2017 21:58:12 +0200

On Sun, 2017-05-14 at 15:20:54 +0000, Holger Levsen wrote: > On Sun, May 14, 2017 at 05:05:36PM +0200, Bill Allombert wrote: > > OK, but how can I check that my package build is reproducible before uploading > > it ? > > in general you cannot find out with 100% certainity whether a given source package > will be reproducible. You can only find out with certainity if a package is *not* > reproducible… > > that said > > a.) go to http://reproducible.debian.net/$srcpkg and see if its reproducible today. > > Bill, did you do this for your packages? > And then there is also https://tests.reproducible-builds.org/debian/unstable/index_dd-list.html#ballombe@debian.org > which shows that half of your 26 packages in sid (main) are unreproducible > with build path variation, though most of those unreproducible ones > are reproducible without build path variation… > -> https://tests.reproducible-builds.org/debian/testing/index_dd-list.html#ballombe@debian.org > only shows 4 unreproducible packages… b.0.) use debrepro (from devscripts) > b.) build it twice and compare using diffoscope > c.) use reprotest Thanks, Guillem

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 14 May 2017 22:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 14 May 2017 22:00:04 GMT) (full text, mbox, link).

Message #77 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: Guillem Jover <guillem@debian.org> Cc: 844431@bugs.debian.org, Bill Allombert <ballombe@debian.org> Subject: Re: Bug#844431: policy: packages should be reproducible Date: Sun, 14 May 2017 21:57:53 +0000

On Sun, May 14, 2017 at 09:58:12PM +0200, Guillem Jover wrote: > On Sun, 2017-05-14 at 15:20:54 +0000, Holger Levsen wrote: > > Bill, did you do this for your packages? on re-reading what I wrote here, it occurred to me that this could be read *hostile* despite me having *zero* intentions to be hostile… I just wanted to be friendly and give helpful URLs to you, Bill… I'm sorry if this came across differently! > b.0.) use debrepro (from devscripts) Thanks for this additional hint, Guillem! -- cheers, Holger

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 14 May 2017 22:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Bill Allombert <ballombe@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 14 May 2017 22:09:03 GMT) (full text, mbox, link).

Message #82 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <ballombe@debian.org> To: Holger Levsen <holger@layer-acht.org> Cc: 844431@bugs.debian.org Subject: Re: Bug#844431: policy: packages should be reproducible Date: Mon, 15 May 2017 00:05:17 +0200

On Sun, May 14, 2017 at 03:20:54PM +0000, Holger Levsen wrote: > On Sun, May 14, 2017 at 05:05:36PM +0200, Bill Allombert wrote: > a.) go to http://reproducible.debian.net/$srcpkg and see if its reproducible today. As I said, I would like to check that my package build is reproducible before I upload it, not after, so I can be sure that any bug is fixed in the upload. Some of my package were listed as reproducible for several months and then became unreproducible without any new upload. I do not mind that. However from a policy point of view, reproducible need to be defined precisely. Generally speaking, reproducible means that the build will not change if some (but not all) parameters are changed. What parameters are allowed to change need to be defined. One way is specify that would be to provide an authoritative tool to validate packages. Cheers, PS: I thanks you for your advices, I will reply to you privately if I need to. -- Bill. <ballombe@debian.org> Imagine a large red swirl here.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 14 May 2017 23:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 14 May 2017 23:18:04 GMT) (full text, mbox, link).

Message #87 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: Bill Allombert <ballombe@debian.org> Cc: 844431@bugs.debian.org Subject: Re: Bug#844431: policy: packages should be reproducible Date: Sun, 14 May 2017 23:15:26 +0000

On Mon, May 15, 2017 at 12:05:17AM +0200, Bill Allombert wrote: > On Sun, May 14, 2017 at 03:20:54PM +0000, Holger Levsen wrote: > > On Sun, May 14, 2017 at 05:05:36PM +0200, Bill Allombert wrote: > > a.) go to http://reproducible.debian.net/$srcpkg and see if its reproducible today. > As I said, I would like to check that my package build is reproducible before > I upload it, not after, so I can be sure that any bug is fixed in the > upload. b.), b.0), c.) and d.) were given as possible "tools" *to build twice with (some) variation(s) and compare the results*. "Reproducible Builds" (in the sense of bit by bit identicall builds) is really a rather new field in the era of software (well, not really, but thats history and bit rotted until it was rediscovered in the early 2010s…) What is trivial, if given, is to show that a package is *un*reproducible. It's much harder to show that a package is reproducible. And given that this is a new field I think it's ok, while somewhat unsatisfying, that maybe some unreproducibility will only be detected by a more advanced tool, like reproducible.debian.net (which aint a,b,c nor d, but e.) after an upload has taken place. This is one of the reasons we are aiming for "packages *should* be reproducible" now, and not "*must* be". > Some of my package were listed as reproducible for several months and > then became unreproducible without any new upload. I do not mind that. I guess this is because we introduced many more variations during 2014 and 2015. During 2016 I don't recall us introducing many varitions, or rather many causing many new unreproducibilty issues… For 2017 there weren't any. > However from a policy point of view, reproducible need to be defined > precisely. Yes! > Generally speaking, reproducible means that the build will > not change if some (but not all) parameters are changed. Yes. > What parameters > are allowed to change need to be defined. I sadly think this is impossible. > One way is specify that would be to provide an authoritative tool to > validate packages. the tool to validate builds should be diff/sha256sum. a tool to simulate all possible variations in the wild would probably need endless time to operate… > PS: I thanks you for your advices, I will reply to you privately if I > need to. While you surely can do so (and I will happily reply) I would even more happily prefer if you could ask me on public list (and ping in private if you havent gotten a reply in whatever you think is appropriate)… a.) then more people can learn b.) you'll probably get faster *and better replies* (esp. on language specific details) and c.) this helps me getting my inbox under control :-) -- cheers, Holger

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Mon, 15 May 2017 06:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Wouter Verhelst <wouter@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Mon, 15 May 2017 06:51:03 GMT) (full text, mbox, link).

Message #92 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Wouter Verhelst <wouter@debian.org> To: Holger Levsen <holger@layer-acht.org>, 844431@bugs.debian.org Cc: Bill Allombert <ballombe@debian.org> Subject: Re: Bug#844431: policy: packages should be reproducible Date: Mon, 15 May 2017 08:48:23 +0200

On Sun, May 14, 2017 at 11:15:26PM +0000, Holger Levsen wrote: > On Mon, May 15, 2017 at 12:05:17AM +0200, Bill Allombert wrote: > > On Sun, May 14, 2017 at 03:20:54PM +0000, Holger Levsen wrote: > > > On Sun, May 14, 2017 at 05:05:36PM +0200, Bill Allombert wrote: > > > a.) go to http://reproducible.debian.net/$srcpkg and see if its reproducible today. > > As I said, I would like to check that my package build is reproducible before > > I upload it, not after, so I can be sure that any bug is fixed in the > > upload. > > b.), b.0), c.) and d.) were given as possible "tools" *to build twice with > (some) variation(s) and compare the results*. > > "Reproducible Builds" (in the sense of bit by bit identicall builds) is > really a rather new field in the era of software (well, not really, but > thats history and bit rotted until it was rediscovered in the early 2010s…) > > What is trivial, if given, is to show that a package is *un*reproducible. > > It's much harder to show that a package is reproducible. > > And given that this is a new field I think it's ok, while somewhat unsatisfying, > that maybe some unreproducibility will only be detected by a more advanced > tool, like reproducible.debian.net (which aint a,b,c nor d, but e.) > after an upload has taken place. I think it's probably not a good idea to (when we've moved to mandate "packages must be reproducible") allow packages to become insta-buggy by things that are out of their control and not clearly specified in policy. That's not how we do things in Debian. As such, I would favour the following approach: - You guys (= the reproducible builds guys) come up with a list of things that commonly make a package nonreproducible today, and policy adds those as "should not"s. If I'm not mistaken, such a list already exists, you may simply need to generalize it a bit? - Actually, I'm sure there may be things that packages failed to comply with in the past, but that are not a problem anymore today; we can make those "must not" rules already today. - If you find new and interesting ways to make packages nonreproducible at some point in the future, those can be added (as "should" first, and as "must" later). This would result in a section in policy of this form: --- # Reproducible builds Packages should generally be reproducible. That is, a package build should result in a bit-by-bit identical package from one build to the next. Specifically, packages must not do any of the following things: - non-reproducible thing A - non-reproducible thing B - ... Moreover, while the following are not must rules yet, packages should also not do any of the following things: - still-in-the-wild non-reproducible thing A - still-in-the-wild non-reproducible thing B - ... --- (wording may need some tweaking) The above wording makes "bit-by-bit identical" a should (so packagers are encouraged to reach that goal), but already allows you to file RC bugs on some subset of "is not reproducible" package issues, and a subset that will improve over time. With that wording, I don't think we should ever make "bit-by-bit identical" a must; I also don't think we would need to. As you say, building packages nonreproducibly is difficult to define, and it certainly is difficult to test for in a definite manner. > > What parameters > > are allowed to change need to be defined. > > I sadly think this is impossible. I agree that it will probably be a neverending effort, but I also think it's the only way that it can reasonably be done. -- < ron> I mean, the main *practical* problem with C++, is there's like a dozen people in the world who think they really understand all of its rules, and pretty much all of them are just lying to themselves too. -- #debian-devel, OFTC, 2016-02-12

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Wed, 17 May 2017 22:54:03 GMT) (full text, mbox, link).

Acknowledgement sent to Bill Allombert <ballombe@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Wed, 17 May 2017 22:54:03 GMT) (full text, mbox, link).

Message #97 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <ballombe@debian.org> To: Holger Levsen <holger@layer-acht.org> Cc: 844431@bugs.debian.org Subject: Re: Bug#844431: policy: packages should be reproducible Date: Thu, 18 May 2017 00:50:36 +0200

On Sun, May 14, 2017 at 11:15:26PM +0000, Holger Levsen wrote: > On Mon, May 15, 2017 at 12:05:17AM +0200, Bill Allombert wrote: > > On Sun, May 14, 2017 at 03:20:54PM +0000, Holger Levsen wrote: > > > On Sun, May 14, 2017 at 05:05:36PM +0200, Bill Allombert wrote: > > > a.) go to http://reproducible.debian.net/$srcpkg and see if its reproducible today. > > As I said, I would like to check that my package build is reproducible before > > I upload it, not after, so I can be sure that any bug is fixed in the > > upload. > > b.), b.0), c.) and d.) were given as possible "tools" *to build twice with > (some) variation(s) and compare the results*. > > "Reproducible Builds" (in the sense of bit by bit identicall builds) is > really a rather new field in the era of software (well, not really, but > thats history and bit rotted until it was rediscovered in the early 2010s…) > > What is trivial, if given, is to show that a package is *un*reproducible. > > It's much harder to show that a package is reproducible. We should avoid a terminological confusion... Unreproducible means that "it will never be reproduced", which is quite different from "it will always be reproduced". Reproducible means that "it is possible to reproduce". So in fact it is much easier to show that something is reproducible than unreproducible. There are situations where policy mandates that the build will be different (for example setting DEB_BUILD_OPTIONS). And actually, we do not need packages to build always identically. Instead we need a reliable way to rebuild them identically, which is a lower bar. If (as it is planned) all packages are built by the autobuilders, then we could provide a tool that rebuild a package (maybe by taking a .buildinfo as input and downloading the same versions of the build dependencies from snapshot.d.o) using the same setting as the autobuilders. Then policy would cover the issues that could still lead to a different build (for example using timestamp, hardcoding hardware characteristic of the build machine , etc.). Cheers, -- Bill. <ballombe@debian.org> Imagine a large red swirl here.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Mon, 24 Jul 2017 21:12:02 GMT) (full text, mbox, link).

Acknowledgement sent to Adrian Bunk <bunk@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Mon, 24 Jul 2017 21:12:02 GMT) (full text, mbox, link).

Message #102 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org> To: reproducible-builds@lists.alioth.debian.org, 844431@bugs.debian.org Subject: Re: Status update from the Reproducible Builds project Date: Tue, 25 Jul 2017 00:08:21 +0300

>... > Debian Policy > ============= > > We are in the process of making reproducibility of packages something > properly documented in policy. Writing patches for policy is not easy, > so we welcome input from everyone to be able to better consider all the > needed facets. See bug #844431 [16] for it. > Also, we wish to remind everyone that Debian Policy aims at documenting > current practices, it's not a "stick" to impose new rules. That said, > we believe reproducible builds to be among the best practices today. >... If it could be interpreted in the future to include things that are not current practice today, it would be a stick to impose new rules. The main problem is the lack of an exact definition what "packages build in a reproducible manner" includes, and what not. Bill already explained that "it is possible to reproduce" is a much easier problem to solve than "it will always be reproduced". I would suggest a top-down approach to that: What are the high-level guarantees reproducible builds plans to make for all packages in buster? What exactly is required from every single package for that, and also realistic to achieve for buster? Once you have these plus a list of all remaining bugs, you can go to the release team asking whether these can be considered as release critical for buster. At that point documenting this status quo for policy should be straightforward. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Fri, 11 Aug 2017 23:21:06 GMT) (full text, mbox, link).

Acknowledgement sent to Sean Whitton <spwhitton@spwhitton.name> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Fri, 11 Aug 2017 23:21:06 GMT) (full text, mbox, link).

Message #107 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Sean Whitton <spwhitton@spwhitton.name> To: 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Reproducibility in Policy Date: Fri, 11 Aug 2017 16:08:47 -0700

control: user debian-policy@packages.debian.org control: usertag = normative proposal Hello, ==== Proposal: ==== This is what Holger and I think we should add to Policy, after readability tweaks: Packages should build reproducibly, which for purposes of this document means that given - a version of a source package unpacked at a given path; - a set of versions of installed build-dependencies; and - a build architecture, repeatedly building the source package on the architecture with those versions of the build dependencies installed will produce bit-for-bit identical binary packages. ==== Explanation: ==== The definition from the reproducible builds group[1] says: A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts. The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by ... distributors. i.e. Debian has to define the build environment, source code and build instructions. I think that my wording defines these as Debian currently understands them. Later, we could narrow the definition of build environment by adding more constraints, but we're not there yet. [1] https://reproducible-builds.org/docs/definition/ -- Sean Whitton

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 00:33:07 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sat, 12 Aug 2017 00:33:07 GMT) (full text, mbox, link).

Message #112 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org> To: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Reproducibility in Policy Date: Fri, 11 Aug 2017 20:25:30 -0400

Dear Sean & Holger, Thank you so much for working on this at the end of a tiring DebConf! > […] > Later, we could narrow the definition of build environment by adding > more constraints, but we're not there yet. That makes sense. Indeed, that even feels like the optimal approach as it allows flexibility and experimentation, probably more important the closer and closer we get to to 100% reproducibility. Thanks again :) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `-

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 01:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Russ Allbery <rra@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sat, 12 Aug 2017 01:09:03 GMT) (full text, mbox, link).

Message #117 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org> To: Sean Whitton <spwhitton@spwhitton.name> Cc: 844431@bugs.debian.org, reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Reproducibility in Policy Date: Fri, 11 Aug 2017 17:57:44 -0700

Sean Whitton <spwhitton@spwhitton.name> writes: > ==== Proposal: ==== > This is what Holger and I think we should add to Policy, after > readability tweaks: > Packages should build reproducibly, which for purposes of this > document means that given > - a version of a source package unpacked at a given path; > - a set of versions of installed build-dependencies; and > - a build architecture, > repeatedly building the source package on the architecture with those > versions of the build dependencies installed will produce bit-for-bit > identical binary packages. I think we need to add all environment variables starting with DEB_* to the prerequisites. If you set DEB_BUILD_OPTIONS=nostrip or DEB_BUILD_MAINT_OPTIONS=hardening=all, you'll definitely get a different package, for instance. I feel like there are a bunch of other environment variables that have to be consistent, although I'm not sure how to specify that since other environment variables shouldn't matter. But, say, setting GNUTARGET is very likely to cause weirdness by changing how ld works. There are probably more interesting examples. How does the current reproducible build testing work with the environment? Maybe we should just document that for right now and relax it later if needed? > ==== Explanation: ==== > The definition from the reproducible builds group[1] says: > A build is reproducible if given the same source code, build > environment and build instructions, any party can recreate > bit-by-bit identical copies of all specified artifacts. > The relevant attributes of the build environment, the build > instructions and the source code as well as the expected > reproducible artifacts are defined by ... distributors. > i.e. Debian has to define the build environment, source code and build > instructions. I think that my wording defines these as Debian currently > understands them. > Later, we could narrow the definition of build environment by adding > more constraints, but we're not there yet. > [1] https://reproducible-builds.org/docs/definition/ We should add a link to that page (maybe in a footnote). -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 01:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sat, 12 Aug 2017 01:39:03 GMT) (full text, mbox, link).

Message #122 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> To: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Reproducibility in Policy Date: Fri, 11 Aug 2017 20:22:22 -0400

Thanks for the proposal. I like it! A few nit-picks below: On Fri 2017-08-11 16:08:47 -0700, Sean Whitton wrote: > - a version of a source package unpacked at a given path; I don't like the idea of hard-coding a fixed build path requirement into debian policy. We're over 80% with variable build paths in unstable already, and i want to keep the pressure up on this. The build location should not influence the binary output. > repeatedly building the source package on the architecture with maybe s/on the architecture/on any machine of the same architecture/ ? all the best, --dkg

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 03:39:05 GMT) (full text, mbox, link).

Acknowledgement sent to Russ Allbery <rra@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sat, 12 Aug 2017 03:39:05 GMT) (full text, mbox, link).

Message #127 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org> To: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Cc: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org, reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Reproducibility in Policy Date: Fri, 11 Aug 2017 20:35:47 -0700

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes: > On Fri 2017-08-11 16:08:47 -0700, Sean Whitton wrote: >> - a version of a source package unpacked at a given path; > I don't like the idea of hard-coding a fixed build path requirement into > debian policy. We're over 80% with variable build paths in unstable > already, and i want to keep the pressure up on this. The build location > should not influence the binary output. It shouldn't, but my understanding is that it currently does. If you can fix that, that's great, but until that's been fixed, I don't see the harm in documenting this as a prerequisite for a reproducible build. If we can relax that prerequisite later, great, but nothing about listing it here should reduce the pressure on making variable build paths work. It just documents the current state of the world. -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 08:35:37 GMT) (full text, mbox, link).

Message #130 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Johannes Schauer <josch@debian.org> To: Russ Allbery <rra@debian.org>, Sean Whitton <spwhitton@spwhitton.name> Cc: reproducible-builds@lists.alioth.debian.org, 844431@bugs.debian.org Subject: Re: Bug#844431: Reproducibility in Policy Date: Sat, 12 Aug 2017 17:24:49 +0100

Hi, Quoting Russ Allbery (2017-08-12 09:57:44) > I think we need to add all environment variables starting with DEB_* to > the prerequisites. If you set DEB_BUILD_OPTIONS=nostrip or > DEB_BUILD_MAINT_OPTIONS=hardening=all, you'll definitely get a different > package, for instance. > > I feel like there are a bunch of other environment variables that have to > be consistent, although I'm not sure how to specify that since other > environment variables shouldn't matter. But, say, setting GNUTARGET is > very likely to cause weirdness by changing how ld works. There are > probably more interesting examples. > > How does the current reproducible build testing work with the environment? > Maybe we should just document that for right now and relax it later if > needed? currently, dpkg-genbuildinfo records all environment variables in a .buildinfo file which pass a whitelist check. The current whitelist is stored here: https://anonscm.debian.org/cgit/dpkg/dpkg.git/tree/scripts/Dpkg/Build/Info.pm#n50 I'm not proposing that this whole list should be added to policy. But the list that ends up in policy must be a subset of the list of environment variables that dpkg-genbuildinfo stores in the .buildinfo file. Thus: - this list from dpkg should give a number of good suggestions of which environment variables should be added to policy - if any additional variables are added, then they must be added to dpkg-genbuildinfo as well. Thanks! cheers, josch

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 10:03:05 GMT) (full text, mbox, link).

Acknowledgement sent to Bill Allombert <ballombe@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sat, 12 Aug 2017 10:03:05 GMT) (full text, mbox, link).

Message #135 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <ballombe@debian.org> To: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Reproducibility in Policy Date: Sat, 12 Aug 2017 11:59:57 +0200

On Fri, Aug 11, 2017 at 04:08:47PM -0700, Sean Whitton wrote: > control: user debian-policy@packages.debian.org > control: usertag = normative proposal > > Hello, > > ==== Proposal: ==== > > This is what Holger and I think we should add to Policy, after > readability tweaks: > > Packages should build reproducibly, which for purposes of this > document means that given > > - a version of a source package unpacked at a given path; > - a set of versions of installed build-dependencies; and > - a build architecture, > > repeatedly building the source package on the architecture with those > versions of the build dependencies installed will produce bit-for-bit > identical binary packages. > > ==== Explanation: ==== > > The definition from the reproducible builds group[1] says: > > A build is reproducible if given the same source code, build > environment and build instructions, any party can recreate > bit-by-bit identical copies of all specified artifacts. > > The relevant attributes of the build environment, the build > instructions and the source code as well as the expected > reproducible artifacts are defined by ... distributors. > > i.e. Debian has to define the build environment, source code and build > instructions. I think that my wording defines these as Debian currently > understands them. This require policy to define the build environment and build instruction much more precisely than it does now, which does not seems to be practical. Unless maybe if a reference implementation is provided. Cheers, -- Bill. <ballombe@debian.org> Imagine a large red swirl here.

Owner recorded as Sean Whitton <spwhitton@spwhitton.name>. Request was from Sean Whitton <spwhitton@spwhitton.name> to control@bugs.debian.org . (Sat, 12 Aug 2017 16:33:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 18:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Sean Whitton <spwhitton@spwhitton.name> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sat, 12 Aug 2017 18:27:05 GMT) (full text, mbox, link).

Message #142 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Sean Whitton <spwhitton@spwhitton.name> To: 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Revised patch: seeking seconds Date: Sat, 12 Aug 2017 11:23:14 -0700

control: tag -1 +patch This patch incorporates the feedback given on the proposal I sent yesterday, both in this bug and in person from Russ and Holger (thank you to all). I am seeking formal seconds for this patch, from any DD. In particular: - for now, we only require reproducibility when the set of environment variable values set is exactly the same This is because - the reproducible builds team aren't yet totally clear on the variables that they think may be allowed to vary - we should wait until .buildinfo is properly documented in policy, and then we can refer to that file - we don't require reproducibility when build paths vary This is because - since there is not a consensus on whether we should require this, and there is strong consensus on the requirement of reproducibility if the path does /not/ vary, this issue should not block this change. We should open a separate bug against debian-policy diff --git a/policy/ch-source.rst b/policy/ch-source.rst index 127b125..cc4b020 100644 --- a/policy/ch-source.rst +++ b/policy/ch-source.rst @@ -661,6 +661,22 @@ particularly complex or unintuitive source layout or build system (for example, a package that builds the same source multiple times to generate different binary packages). +Reproducibility +--------------- + +Packages should build reproducibly, which for the purposes of this +document [#]_ means that given + +- a version of a source package unpacked at a given path; +- a set of versions of installed build dependencies; +- a set of environment variable values; and +- a build architecture, + +repeatedly building the source package on any machine of the same +architecture with those versions of the build dependencies installed +and exactly those environment variable values set will produce +bit-for-bit identical binary packages. + .. [#] See the file ``upgrading-checklist`` for information about policy which has changed between different versions of this document. @@ -790,3 +806,7 @@ generate different binary packages). often creates either static linking or shared library conflicts, and, most importantly, increases the difficulty of handling security vulnerabilities in the duplicated code. + +.. [#] + This is Debian's precisification of the `reproducible-builds.org + definition <https://reproducible-builds.org/docs/definition/>`_. -- Sean Whitton

Added tag(s) patch. Request was from Sean Whitton <spwhitton@spwhitton.name> to 844431-submit@bugs.debian.org . (Sat, 12 Aug 2017 18:27:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 18:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sat, 12 Aug 2017 18:51:04 GMT) (full text, mbox, link).

Message #149 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Sat, 12 Aug 2017 18:40:24 +0000

On Sat, Aug 12, 2017 at 11:23:14AM -0700, Sean Whitton wrote: > I am seeking formal seconds for this patch, from any DD. > > In particular: > > - for now, we only require reproducibility when the set of environment > variable values set is exactly the same > > This is because > > - the reproducible builds team aren't yet totally clear on the > variables that they think may be allowed to vary > > - we should wait until .buildinfo is properly documented in policy, > and then we can refer to that file > > - we don't require reproducibility when build paths vary > > This is because > > - since there is not a consensus on whether we should require this, > and there is strong consensus on the requirement of reproducibility > if the path does /not/ vary, this issue should not block this change. > We should open a separate bug against debian-policy > > diff --git a/policy/ch-source.rst b/policy/ch-source.rst > index 127b125..cc4b020 100644 > --- a/policy/ch-source.rst > +++ b/policy/ch-source.rst > @@ -661,6 +661,22 @@ particularly complex or unintuitive source layout or build system (for > example, a package that builds the same source multiple times to > generate different binary packages). > > +Reproducibility > +--------------- > + > +Packages should build reproducibly, which for the purposes of this > +document [#]_ means that given > + > +- a version of a source package unpacked at a given path; > +- a set of versions of installed build dependencies; > +- a set of environment variable values; and > +- a build architecture, > + > +repeatedly building the source package on any machine of the same > +architecture with those versions of the build dependencies installed > +and exactly those environment variable values set will produce > +bit-for-bit identical binary packages. > + > .. [#] > See the file ``upgrading-checklist`` for information about policy > which has changed between different versions of this document. > @@ -790,3 +806,7 @@ generate different binary packages). > often creates either static linking or shared library conflicts, and, > most importantly, increases the difficulty of handling security > vulnerabilities in the duplicated code. > + > +.. [#] > + This is Debian's precisification of the `reproducible-builds.org > + definition <https://reproducible-builds.org/docs/definition/>`_. very happily seconded, many thanks to everyone who has contributed to this bug directly or "indirectly" (I'm thinking specifically about Lunar here). -- cheers, Holger (who watched http://meetings-archive.debian.net/pub/debian-meetings/2017/debconf17/reproducible-builds-status-update.vp8.webm today and was equally happy when seeing the whole audience agreeing this should be in policy - and the applause after Russ's closing statement was also very very nice…!)

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 18:54:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ondrej Novy <novy@ondrej.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sat, 12 Aug 2017 18:54:03 GMT) (full text, mbox, link).

Message #154 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Ondrej Novy <novy@ondrej.org> To: Sean Whitton <spwhitton@spwhitton.name> Cc: 844431@bugs.debian.org, reproducible-builds@lists.alioth.debian.org Subject: Re: Revised patch: seeking seconds Date: Sat, 12 Aug 2017 14:50:19 -0400

Hi, 2017-08-12 14:23 GMT-04:00 Sean Whitton <spwhitton@spwhitton.name>: > control: tag -1 +patch > > This patch incorporates the feedback given on the proposal I sent > yesterday, both in this bug and in person from Russ and Holger (thank > you to all). > seconded, thanks for working on this. -- Best regards Ondřej Nový Email: novy@ondrej.org PGP: 3D98 3C52 EB85 980C 46A5 6090 3573 1255 9D1E 064B

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 19:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to Russ Allbery <rra@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sat, 12 Aug 2017 19:27:02 GMT) (full text, mbox, link).

Message #159 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org> To: Sean Whitton <spwhitton@spwhitton.name> Cc: 844431@bugs.debian.org, reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Sat, 12 Aug 2017 12:25:49 -0700

Sean Whitton <spwhitton@spwhitton.name> writes: > diff --git a/policy/ch-source.rst b/policy/ch-source.rst > index 127b125..cc4b020 100644 > --- a/policy/ch-source.rst > +++ b/policy/ch-source.rst > @@ -661,6 +661,22 @@ particularly complex or unintuitive source layout or build system (for > example, a package that builds the same source multiple times to > generate different binary packages). > > +Reproducibility > +--------------- > + > +Packages should build reproducibly, which for the purposes of this > +document [#]_ means that given > + > +- a version of a source package unpacked at a given path; > +- a set of versions of installed build dependencies; > +- a set of environment variable values; and > +- a build architecture, > + > +repeatedly building the source package on any machine of the same > +architecture with those versions of the build dependencies installed > +and exactly those environment variable values set will produce > +bit-for-bit identical binary packages. > + > .. [#] > See the file ``upgrading-checklist`` for information about policy > which has changed between different versions of this document. > @@ -790,3 +806,7 @@ generate different binary packages). > often creates either static linking or shared library conflicts, and, > most importantly, increases the difficulty of handling security > vulnerabilities in the duplicated code. > + > +.. [#] > + This is Debian's precisification of the `reproducible-builds.org > + definition <https://reproducible-builds.org/docs/definition/>`_. Seconded. -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 20:03:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ximin Luo <infinity0@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sat, 12 Aug 2017 20:03:03 GMT) (full text, mbox, link).

Message #164 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Ximin Luo <infinity0@debian.org> To: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Revised patch: seeking seconds Date: Sat, 12 Aug 2017 19:52:00 +0000

Sean Whitton: > diff --git a/policy/ch-source.rst b/policy/ch-source.rst > index 127b125..cc4b020 100644 > --- a/policy/ch-source.rst > +++ b/policy/ch-source.rst > @@ -661,6 +661,22 @@ particularly complex or unintuitive source layout or build system (for > example, a package that builds the same source multiple times to > generate different binary packages). > > +Reproducibility > +--------------- > + > +Packages should build reproducibly, which for the purposes of this > +document [#]_ means that given > + > +- a version of a source package unpacked at a given path; > +- a set of versions of installed build dependencies; > +- a set of environment variable values; and > +- a build architecture, > + > +repeatedly building the source package on any machine of the same > +architecture with those versions of the build dependencies installed > +and exactly those environment variable values set will produce > +bit-for-bit identical binary packages. > + To echo dkg and others' comments, it would be nice if we could add here: +Packages are encouraged to produce bit-for-bit identical binary packages even +if most environment variables and build paths are varied. This is technically +more difficult at the time of writing, but it is intended that this stricter +definition would replace the above one, when appropriate in the future. If this type of "intent" wording is not appropriate for Policy then disregard what I'm saying, I don't wish to block this patch for this reason. > .. [#] > See the file ``upgrading-checklist`` for information about policy > which has changed between different versions of this document. > @@ -790,3 +806,7 @@ generate different binary packages). > often creates either static linking or shared library conflicts, and, > most importantly, increases the difficulty of handling security > vulnerabilities in the duplicated code. > + > +.. [#] > + This is Debian's precisification of the `reproducible-builds.org > + definition <https://reproducible-builds.org/docs/definition/>`_. > "precisification" -> "more precise version" X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 20:21:02 GMT) (full text, mbox, link).

Acknowledgement sent to Russ Allbery <rra@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sat, 12 Aug 2017 20:21:02 GMT) (full text, mbox, link).

Message #169 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org> To: Ximin Luo <infinity0@debian.org> Cc: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org, reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Sat, 12 Aug 2017 13:18:23 -0700

Ximin Luo <infinity0@debian.org> writes: > To echo dkg and others' comments, it would be nice if we could add here: > +Packages are encouraged to produce bit-for-bit identical binary packages even > +if most environment variables and build paths are varied. This is technically > +more difficult at the time of writing, but it is intended that this stricter > +definition would replace the above one, when appropriate in the future. > If this type of "intent" wording is not appropriate for Policy then > disregard what I'm saying, I don't wish to block this patch for this > reason. Oh, that's a good way to capture that. This seems fine to me, and I have no objections to adding this advice. Seconded the original with or without this addition. -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 20:33:02 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sat, 12 Aug 2017 20:33:02 GMT) (full text, mbox, link).

Message #174 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: Russ Allbery <rra@debian.org>, 844431@bugs.debian.org Cc: Ximin Luo <infinity0@debian.org>, Sean Whitton <spwhitton@spwhitton.name>, reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Sat, 12 Aug 2017 20:30:34 +0000

On Sat, Aug 12, 2017 at 01:18:23PM -0700, Russ Allbery wrote: > > +Packages are encouraged to produce bit-for-bit identical binary packages even > > +if most environment variables and build paths are varied. This is technically > > +more difficult at the time of writing, but it is intended that this stricter > > +definition would replace the above one, when appropriate in the future. > > > If this type of "intent" wording is not appropriate for Policy then > > disregard what I'm saying, I don't wish to block this patch for this > > reason. > > Oh, that's a good way to capture that. This seems fine to me, and I have > no objections to adding this advice. Seconded the original with or > without this addition. I'm also seconding the original with or without this addition. -- cheers, Holger

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 20:48:04 GMT) (full text, mbox, link).

Message #177 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Johannes Schauer <josch@debian.org> To: 844431@bugs.debian.org, Sean Whitton <spwhitton@spwhitton.name> Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Revised patch: seeking seconds Date: Sun, 13 Aug 2017 05:45:56 +0100

Hi, Quoting Sean Whitton (2017-08-13 03:23:14) > +Reproducibility > +--------------- > + > +Packages should build reproducibly, which for the purposes of this > +document [#]_ means that given > + > +- a version of a source package unpacked at a given path; > +- a set of versions of installed build dependencies; > +- a set of environment variable values; and > +- a build architecture, Policy §4.9 defines "build architecture" in the context of dpkg-architecture already and I think what you mean here is either "host architecture" or at least "build and host architecture" or you need to mention that you are only talking about native builds where build and host architecture are equal. Thanks! cheers, josch

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 21:00:06 GMT) (full text, mbox, link).

Acknowledgement sent to Russ Allbery <rra@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sat, 12 Aug 2017 21:00:06 GMT) (full text, mbox, link).

Message #182 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org> To: Johannes Schauer <josch@debian.org> Cc: 844431@bugs.debian.org, Sean Whitton <spwhitton@spwhitton.name>, reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Sat, 12 Aug 2017 13:57:25 -0700

Johannes Schauer <josch@debian.org> writes: > Policy §4.9 defines "build architecture" in the context of > dpkg-architecture already and I think what you mean here is either "host > architecture" or at least "build and host architecture" or you need to > mention that you are only talking about native builds where build and > host architecture are equal. I suspect we want to say build and host architecture for right now. (Maybe we can later aspire to making the build architecture not matter.) Thanks, good catch! -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 21:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Russ Allbery <rra@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sat, 12 Aug 2017 21:03:03 GMT) (full text, mbox, link).

Message #187 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org> To: Bill Allombert <ballombe@debian.org> Cc: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org, reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Reproducibility in Policy Date: Sat, 12 Aug 2017 14:01:30 -0700

Bill Allombert <ballombe@debian.org> writes: > This require policy to define the build environment and build > instruction much more precisely than it does now, which does not seems > to be practical. Unless maybe if a reference implementation is provided. I don't see anything in this proposal that would require a more precise definition than we have in Sean's current proposal. This is the standard that we're already using for filing reproducible build bugs in the archive, and it's been basically fine. The tools aren't in place yet to make it super-easy for people to test for themselves, but that's in the works, and that's also why it's a should (not must) and there's infrastructure in place for Debian to check it for you. We can always aspire to get more formal and specific in the future, but that's true of many other parts of Policy as well. -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 21:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sat, 12 Aug 2017 21:45:03 GMT) (full text, mbox, link).

Message #192 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: Russ Allbery <rra@debian.org>, 844431@bugs.debian.org Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Sean Whitton <spwhitton@spwhitton.name>, reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Reproducibility in Policy Date: Sat, 12 Aug 2017 17:40:27 -0400

On Fri, Aug 11, 2017 at 08:35:47PM -0700, Russ Allbery wrote: > Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes: > > I don't like the idea of hard-coding a fixed build path requirement into > > debian policy. I don't *like* it neither but I think it's the sensible thing to do now. > > We're over 80% with variable build paths in unstable > > already, and i want to keep the pressure up on this. The build location > > should not influence the binary output. I'd like to keep the pressure on this but and I think we can still that while OTOH also trying to get closer to 100% first+too. With build path variation reaching the worthwhile goal of having >98% reproducible builds will be delayed by 1-2 years at least, so this is a classic "perfect is the enemy of good". I don't do reproducible builds for purely academic reasons, I foremost want them to increase the security of user systems. > It shouldn't, but my understanding is that it currently does. If you can > fix that, that's great, but until that's been fixed, I don't see the harm > in documenting this as a prerequisite for a reproducible build. If we can > relax that prerequisite later, great, but nothing about listing it here > should reduce the pressure on making variable build paths work. It just > documents the current state of the world. exactly. -- cheers, Holger

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 22:39:02 GMT) (full text, mbox, link).

Acknowledgement sent to Sean Whitton <spwhitton@spwhitton.name> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sat, 12 Aug 2017 22:39:02 GMT) (full text, mbox, link).

Message #197 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Sean Whitton <spwhitton@spwhitton.name> To: 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Sat, 12 Aug 2017 15:34:35 -0700

Hello, On Sat, Aug 12 2017, Russ Allbery wrote: > I suspect we want to say build and host architecture for right now. > (Maybe we can later aspire to making the build architecture not > matter.) On Sat, Aug 12 2017, Ximin Luo wrote: > To echo dkg and others' comments, it would be nice if we could add > here: > > +Packages are encouraged to produce bit-for-bit identical binary > packages even +if most environment variables and build paths are > varied. This is technically +more difficult at the time of writing, > but it is intended that this stricter +definition would replace the > above one, when appropriate in the future. Here is an updated patch addressing these. I reworded it to use 'recommended' and changed the tone to better suit policy. Thank you Ximin, Russ and Johannes! > "precisification" -> "more precise version" Our definition is not actually a /version/ of the reproducible-builds.org definition -- that would imply that our definition could replace the reproducible-builds.org definition, like upgrading a package. 'precisification' means roughly "filling out the missing specification when it is appropriate to fill it out", which is what the r-p.org definition instructs distributors to do. diff --git a/policy/ch-source.rst b/policy/ch-source.rst index 127b125..6e32870 100644 --- a/policy/ch-source.rst +++ b/policy/ch-source.rst @@ -661,6 +661,28 @@ particularly complex or unintuitive source layout or build system (for example, a package that builds the same source multiple times to generate different binary packages). +Reproducibility +--------------- + +Packages should build reproducibly, which for the purposes of this +document [#]_ means that given + +- a version of a source package unpacked at a given path; +- a set of versions of installed build dependencies; +- a set of environment variable values; +- a build architecture; and +- a host architecture, + +repeatedly building the source package for the build architecture on +any machine of the host architecture with those versions of the build +dependencies installed and exactly those environment variable values +set will produce bit-for-bit identical binary packages. + +It is recommended that packages produce bit-for-bit identical binaries +even if most environment variables and build paths are varied. It is +intended for this stricter standard to replace the above when it is +easier for packages to meet it. + .. [#] See the file ``upgrading-checklist`` for information about policy which has changed between different versions of this document. @@ -790,3 +812,7 @@ generate different binary packages). often creates either static linking or shared library conflicts, and, most importantly, increases the difficulty of handling security vulnerabilities in the duplicated code. + +.. [#] + This is Debian's precisification of the `reproducible-builds.org + definition <https://reproducible-builds.org/docs/definition/>`_. -- Sean Whitton

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sat, 12 Aug 2017 23:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ximin Luo <infinity0@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sat, 12 Aug 2017 23:12:03 GMT) (full text, mbox, link).

Message #202 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Ximin Luo <infinity0@debian.org> To: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Sat, 12 Aug 2017 23:09:00 +0000

Sean Whitton: > [..] > > Here is an updated patch addressing these. I reworded it to use > 'recommended' and changed the tone to better suit policy. > > Thank you Ximin, Russ and Johannes! > >> "precisification" -> "more precise version" > > Our definition is not actually a /version/ of the > reproducible-builds.org definition -- that would imply that our > definition could replace the reproducible-builds.org definition, like > upgrading a package. > > 'precisification' means roughly "filling out the missing specification > when it is appropriate to fill it out", which is what the r-p.org > definition instructs distributors to do. > > diff --git a/policy/ch-source.rst b/policy/ch-source.rst > index 127b125..6e32870 100644 > --- a/policy/ch-source.rst > +++ b/policy/ch-source.rst > @@ -661,6 +661,28 @@ particularly complex or unintuitive source layout or build system (for > example, a package that builds the same source multiple times to > generate different binary packages). > > +Reproducibility > +--------------- > + > +Packages should build reproducibly, which for the purposes of this > +document [#]_ means that given > + > +- a version of a source package unpacked at a given path; > +- a set of versions of installed build dependencies; > +- a set of environment variable values; > +- a build architecture; and > +- a host architecture, > + > +repeatedly building the source package for the build architecture on > +any machine of the host architecture with those versions of the build > +dependencies installed and exactly those environment variable values > +set will produce bit-for-bit identical binary packages. > + > +It is recommended that packages produce bit-for-bit identical binaries > +even if most environment variables and build paths are varied. It is > +intended for this stricter standard to replace the above when it is > +easier for packages to meet it. > + > .. [#] > See the file ``upgrading-checklist`` for information about policy > which has changed between different versions of this document. > @@ -790,3 +812,7 @@ generate different binary packages). > often creates either static linking or shared library conflicts, and, > most importantly, increases the difficulty of handling security > vulnerabilities in the duplicated code. > + > +.. [#] > + This is Debian's precisification of the `reproducible-builds.org > + definition <https://reproducible-builds.org/docs/definition/>`_. > > Thanks! Seconded. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org> :

Bug#844431 ; Package debian-policy . (Sun, 13 Aug 2017 12:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Sean Whitton <spwhitton@spwhitton.name> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org> . (Sun, 13 Aug 2017 12:27:03 GMT) (full text, mbox, link).

Message #207 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Sean Whitton <spwhitton@spwhitton.name> To: 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Sun, 13 Aug 2017 05:24:35 -0700

On Sat, Aug 12 2017, Ximin Luo wrote: > Thanks! Seconded. Just to be clear, we are waiting on one more second for the version that refers to build and target architecture. -- Sean Whitton

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sun, 13 Aug 2017 13:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sun, 13 Aug 2017 13:30:03 GMT) (full text, mbox, link).

Message #212 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Sun, 13 Aug 2017 09:27:12 -0400

On Sat, Aug 12, 2017 at 03:34:35PM -0700, Sean Whitton wrote: > Here is an updated patch addressing these. I reworded it to use > 'recommended' and changed the tone to better suit policy. > > Thank you Ximin, Russ and Johannes! > > > "precisification" -> "more precise version" > > Our definition is not actually a /version/ of the > reproducible-builds.org definition -- that would imply that our > definition could replace the reproducible-builds.org definition, like > upgrading a package. > > 'precisification' means roughly "filling out the missing specification > when it is appropriate to fill it out", which is what the r-p.org > definition instructs distributors to do. > > diff --git a/policy/ch-source.rst b/policy/ch-source.rst > index 127b125..6e32870 100644 > --- a/policy/ch-source.rst > +++ b/policy/ch-source.rst > @@ -661,6 +661,28 @@ particularly complex or unintuitive source layout or build system (for > example, a package that builds the same source multiple times to > generate different binary packages). > > +Reproducibility > +--------------- > + > +Packages should build reproducibly, which for the purposes of this > +document [#]_ means that given > + > +- a version of a source package unpacked at a given path; > +- a set of versions of installed build dependencies; > +- a set of environment variable values; > +- a build architecture; and > +- a host architecture, > + > +repeatedly building the source package for the build architecture on > +any machine of the host architecture with those versions of the build > +dependencies installed and exactly those environment variable values > +set will produce bit-for-bit identical binary packages. > + > +It is recommended that packages produce bit-for-bit identical binaries > +even if most environment variables and build paths are varied. It is > +intended for this stricter standard to replace the above when it is > +easier for packages to meet it. > + > .. [#] > See the file ``upgrading-checklist`` for information about policy > which has changed between different versions of this document. > @@ -790,3 +812,7 @@ generate different binary packages). > often creates either static linking or shared library conflicts, and, > most importantly, increases the difficulty of handling security > vulnerabilities in the duplicated code. > + > +.. [#] > + This is Debian's precisification of the `reproducible-builds.org > + definition <https://reproducible-builds.org/docs/definition/>`_. seconded & thanks for these improvements! -- cheers, Holger

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Sun, 13 Aug 2017 14:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to gregor herrmann <gregoa@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Sun, 13 Aug 2017 14:51:03 GMT) (full text, mbox, link).

Message #217 received at 844431@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org> To: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Sun, 13 Aug 2017 10:28:58 -0400

On Sat, 12 Aug 2017 15:34:35 -0700, Sean Whitton wrote: > diff --git a/policy/ch-source.rst b/policy/ch-source.rst > index 127b125..6e32870 100644 > --- a/policy/ch-source.rst > +++ b/policy/ch-source.rst > @@ -661,6 +661,28 @@ particularly complex or unintuitive source layout or build system (for > example, a package that builds the same source multiple times to > generate different binary packages). > > +Reproducibility > +--------------- > + > +Packages should build reproducibly, which for the purposes of this > +document [#]_ means that given > + > +- a version of a source package unpacked at a given path; > +- a set of versions of installed build dependencies; > +- a set of environment variable values; > +- a build architecture; and > +- a host architecture, > + > +repeatedly building the source package for the build architecture on > +any machine of the host architecture with those versions of the build > +dependencies installed and exactly those environment variable values > +set will produce bit-for-bit identical binary packages. > + > +It is recommended that packages produce bit-for-bit identical binaries > +even if most environment variables and build paths are varied. It is > +intended for this stricter standard to replace the above when it is > +easier for packages to meet it. > + > .. [#] > See the file ``upgrading-checklist`` for information about policy > which has changed between different versions of this document. > @@ -790,3 +812,7 @@ generate different binary packages). > often creates either static linking or shared library conflicts, and, > most importantly, increases the difficulty of handling security > vulnerabilities in the duplicated code. > + > +.. [#] > + This is Debian's precisification of the `reproducible-builds.org > + definition <https://reproducible-builds.org/docs/definition/>`_. Seconded. Thanks to everyone for their work on this. Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `-

Added tag(s) pending. Request was from Sean Whitton <spwhitton@spwhitton.name> to control@bugs.debian.org . (Mon, 14 Aug 2017 16:24:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Tue, 15 Aug 2017 17:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Adrian Bunk <bunk@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Tue, 15 Aug 2017 17:57:03 GMT) (full text, mbox, link).

Message #224 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org> To: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Tue, 15 Aug 2017 20:54:01 +0300

On Sat, Aug 12, 2017 at 11:23:14AM -0700, Sean Whitton wrote: >... > - for now, we only require reproducibility when the set of environment > variable values set is exactly the same > > This is because > > - the reproducible builds team aren't yet totally clear on the > variables that they think may be allowed to vary > > - we should wait until .buildinfo is properly documented in policy, > and then we can refer to that file >... I would expect the reproducible builds team to not submit any bugs regarding varied environment variables as long as as the official definition of reproducibility in policy states that this is not required for a package to be reproducible. > Sean Whitton cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Tue, 15 Aug 2017 18:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Adrian Bunk <bunk@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Tue, 15 Aug 2017 18:09:03 GMT) (full text, mbox, link).

Message #229 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org> To: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Tue, 15 Aug 2017 21:05:29 +0300

On Sat, Aug 12, 2017 at 03:34:35PM -0700, Sean Whitton wrote: >... > +Reproducibility > +--------------- > + > +Packages should build reproducibly, which for the purposes of this > +document [#]_ means that given > + > +- a version of a source package unpacked at a given path; > +- a set of versions of installed build dependencies; > +- a set of environment variable values; > +- a build architecture; and > +- a host architecture, >... Is identical building on any kernel required (and tested)? Examples: A self-compiled kernel with CONFIG_IPV6=n Imagine the next time Linus changes the kernel versioning, he chooses <year>.<month>.<revision> Will every reproducible package in buster build identical on the bullseye+1 kernel 2022.11.321 ? [1] > Sean Whitton cu Adrian [1] the wheezy LTS updates are now built on buildds running stretch kernels, and in buster we will have the similar situation that nearly everyting in the initial release will be built on stretch kernels while post-release updates will be built on buster, bullseye and bullseye+1 kernels -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Tue, 15 Aug 2017 18:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Russ Allbery <rra@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Tue, 15 Aug 2017 18:51:03 GMT) (full text, mbox, link).

Message #234 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org> To: Adrian Bunk <bunk@debian.org> Cc: Sean Whitton <spwhitton@spwhitton.name>, 844431@bugs.debian.org, reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Tue, 15 Aug 2017 11:49:22 -0700

Adrian Bunk <bunk@debian.org> writes: > I would expect the reproducible builds team to not submit any bugs > regarding varied environment variables as long as as the official > definition of reproducibility in policy states that this is not required > for a package to be reproducible. I believe the planned next step here is to publish the *.buildinfo files, which contain a specification of the environment variables the build cares about, and then Policy can be modified to include a description of *.buildinfo files and how to use them. As part of those changes, we'd certainly update the definition of reproducible to reference matching the environment specified in the corresponding *.buildinfo file. -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Tue, 15 Aug 2017 19:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Adrian Bunk <bunk@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Tue, 15 Aug 2017 19:15:03 GMT) (full text, mbox, link).

Message #239 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org> To: 844431@bugs.debian.org, reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised patch: seeking seconds Date: Tue, 15 Aug 2017 22:09:30 +0300

On Tue, Aug 15, 2017 at 11:49:22AM -0700, Russ Allbery wrote: > Adrian Bunk <bunk@debian.org> writes: > > > I would expect the reproducible builds team to not submit any bugs > > regarding varied environment variables as long as as the official > > definition of reproducibility in policy states that this is not required > > for a package to be reproducible. > > I believe the planned next step here is to publish the *.buildinfo files, > which contain a specification of the environment variables the build cares > about, and then Policy can be modified to include a description of > *.buildinfo files and how to use them. As part of those changes, we'd > certainly update the definition of reproducible to reference matching the > environment specified in the corresponding *.buildinfo file. I do understand that. My point is that we now have an official definition what is required for a package to be reproducible, and what is not required. Future policy versions might change this definition, but whatever latest policy states has to be the definition used by both packages and the reproducible builds team. Another example is that a package that is reproducible according to the policy definition must not show up as non-reproducible in tracker/DDPO based on results from the reproducible infrastructure. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> :

Bug#844431 ; Package debian-policy . (Tue, 15 Aug 2017 19:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org> :

Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>, Sean Whitton <spwhitton@spwhitton.name> . (Tue, 15 Aug 2017 19:51:06 GMT) (full text, mbox, link).

Message #244 received at 844431@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org> To: Adrian Bunk <bunk@debian.org>, 844431@bugs.debian.org Cc: reproducible-builds@lists.alioth.debian.org Subject: Re: Bug#844431: Revised pat