Sean Whitton: > diff --git a/policy/ch-source.rst b/policy/ch-source.rst > index 127b125..cc4b020 100644 > --- a/policy/ch-source.rst > +++ b/policy/ch-source.rst > @@ -661,6 +661,22 @@ particularly complex or unintuitive source layout or > build system (for > example, a package that builds the same source multiple times to > generate different binary packages). > > +Reproducibility > +--------------- > + > +Packages should build reproducibly, which for the purposes of this > +document [#]_ means that given > + > +- a version of a source package unpacked at a given path; > +- a set of versions of installed build dependencies; > +- a set of environment variable values; and > +- a build architecture, > + > +repeatedly building the source package on any machine of the same > +architecture with those versions of the build dependencies installed > +and exactly those environment variable values set will produce > +bit-for-bit identical binary packages. > +
To echo dkg and others' comments, it would be nice if we could add here: +Packages are encouraged to produce bit-for-bit identical binary packages even +if most environment variables and build paths are varied. This is technically +more difficult at the time of writing, but it is intended that this stricter +definition would replace the above one, when appropriate in the future. If this type of "intent" wording is not appropriate for Policy then disregard what I'm saying, I don't wish to block this patch for this reason. > .. [#] > See the file ``upgrading-checklist`` for information about policy > which has changed between different versions of this document. > @@ -790,3 +806,7 @@ generate different binary packages). > often creates either static linking or shared library conflicts, and, > most importantly, increases the difficulty of handling security > vulnerabilities in the duplicated code. > + > +.. [#] > + This is Debian's precisification of the `reproducible-builds.org > + definition <https://reproducible-builds.org/docs/definition/>`_. > "precisification" -> "more precise version" X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git
