On Tue, 15 Nov 2016, Chris Lamb wrote: > [As a mild suggestion to streamline this; we should probably come to some > consensus on principle of this addition to Policy first and only then > move to the more difficult topic of defining exactly what reproducibility > means in a technical sense.]
I don't think there will be much of a contention about this. Please propose wording (i.e. the diff to the policy text), but I recommend that you do *not* use "should" or "must" to make such reproducibility mandatory right now, only to define stuff like "*if* it is built for reproducibility, it must do so in such a way that...", etc. Enforcing package reproducibility (should/must in policy) has to wait until a majority of the package is effectively being reproducibly built for a small while (to shaken up any issues), and the tooling echosystem is complete so that it is actually usable to verify things. IMHO, this would be best done only after stretch is released, even if we reach >85% reproducibility levels *and* a full, working toolset before that. As a suggestion, since a "may build reproducibly" policy is not going to give the readers the desired idea, the policy text proposal could use words to the effect that "it is recommended that", and "in the future, this will become a requirement". Any packages that absolutely cannot be built in a reproducible way[1], can become oficially allowed exceptions -- and we could likely teach the verification tools that specific regions of a package/file are to be random, and ignore those when comparing for reproducibility, too. But this would be tackled on in the future, between an already implemented policy of SHOULD is out, and >95% of the packages are being built reproducibly and policy is about to be changed to MUST. Therefore, the initial proposal just needs to acknowledge that this fact could happen and will be dealt with in time. [1] Such as random noise added to kernel and firmware data structures during local builds, to be used as a last defense to avoid the *herd using same keys* effects, etc. -- Henrique Holschuh
