Sean Whitton <spwhit...@spwhitton.name> writes: > ==== Proposal: ====
> This is what Holger and I think we should add to Policy, after > readability tweaks: > Packages should build reproducibly, which for purposes of this > document means that given > - a version of a source package unpacked at a given path; > - a set of versions of installed build-dependencies; and > - a build architecture, > repeatedly building the source package on the architecture with those > versions of the build dependencies installed will produce bit-for-bit > identical binary packages. I think we need to add all environment variables starting with DEB_* to the prerequisites. If you set DEB_BUILD_OPTIONS=nostrip or DEB_BUILD_MAINT_OPTIONS=hardening=all, you'll definitely get a different package, for instance. I feel like there are a bunch of other environment variables that have to be consistent, although I'm not sure how to specify that since other environment variables shouldn't matter. But, say, setting GNUTARGET is very likely to cause weirdness by changing how ld works. There are probably more interesting examples. How does the current reproducible build testing work with the environment? Maybe we should just document that for right now and relax it later if needed? > ==== Explanation: ==== > The definition from the reproducible builds group[1] says: > A build is reproducible if given the same source code, build > environment and build instructions, any party can recreate > bit-by-bit identical copies of all specified artifacts. > The relevant attributes of the build environment, the build > instructions and the source code as well as the expected > reproducible artifacts are defined by ... distributors. > i.e. Debian has to define the build environment, source code and build > instructions. I think that my wording defines these as Debian currently > understands them. > Later, we could narrow the definition of build environment by adding > more constraints, but we're not there yet. > [1] https://reproducible-builds.org/docs/definition/ We should add a link to that page (maybe in a footnote). -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
