hi, On Wed, May 14, 2025 at 10:56:41AM +0200, Guillem Jover wrote: > Sure, I'd like to assume at the time this got implemented :), and also > as part of every dpkg release: > https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/build-aux/gen-release#n147
oh nice!
> > I guess someone would need to actually investigate some hundred packages
> > today, to see how things are really today.
> Perhaps my statements were sloppy though. When I said reproducible, I
> meant that the toolchain can produce them, assuming the source package
> itself does not get in the way via «debian/rules clean». I didn't mean
> we have 100% coverage on the Debian archive for example, where as you
> point out we (well someone :) would need to practically check whether
> that's the case. My assumption is that most would do, but I think it's
> realistic to expect that we might find a number of packages were
> «debian/rules clean» affects the source generation.
I've just checked devscripts and developers-reference, and much to my
surprise their source packages indeed built bit by bit identical:
$ diffoscope p1/developers-reference_13.19_source.changes
p2/developers-reference_13.19_source.changes
--- p1/developers-reference_13.19_source.changes
+++ p2/developers-reference_13.19_source.changes
├── Files
│ @@ -1,4 +1,4 @@
│
│ 6c2a48c479ecd9d4710b64549f8ef44a 1644 doc optional
developers-reference_13.19.dsc
│ 283e1516834500ab48daf62c74714af2 575920 doc optional
developers-reference_13.19.tar.xz
│ - 3afde36f59e56164068ad521f11bc60a 6057 doc optional
developers-reference_13.19_source.buildinfo
│ + e3d438ba597ef522c68b9a730a7b32d4 6057 doc optional
developers-reference_13.19_source.buildinfo
├── developers-reference_13.19_source.buildinfo
│ ├── Build-Date
│ │ @@ -1 +1 @@
│ │ -Fri, 16 May 2025 11:54:47 +0000
│ │ +Fri, 16 May 2025 11:55:12 +0000
> I think whether we can reproduce the same source after a full build
> (so the equivalent of a twice in a row build) might perhaps be more
> challenging (and I'd expect less reproducibility there),
yes, me too, but that's not how source packages are build for real. :)
> but for a
> single download source + full build, we are only concerned about the
> «clean» target, as the source generation is performed as the first
> thing.
indeed
> OTOH, I think the current reproducible infra has probably all the
> data, and it might just be a matter of checking whether the unsigned
> *.dsc (from build-a and build-b) match? :)
yes, patches welcome! (I have more then enough on my plates, so I doubt
I'll dive into *this* rabbit hole in this decade. If you are interested
to do that on the r-b infra I'll be happy to help.)
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
Never waste a crisis.
signature.asc
Description: PGP signature
