940234">

Debian Bug report logs - #940234
debian-policy: add a section about source reproducibility

version graph

Package: debian-policy; Maintainer for debian-policy is Debian Policy Editors <debian-policy@lists.debian.org>; Source for debian-policy is src:debian-policy (PTS, buildd, popcon).

Reported by: Aurelien Jarno <aurel32@debian.org>

Date: Sat, 14 Sep 2019 11:39:09 UTC

Severity: wishlist

Tags: wontfix

Found in version debian-policy/4.4.0.1

Done: Russ Allbery <rra@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-builds@alioth-lists.debian.net, Debian Policy Editors <debian-policy@lists.debian.org>:
Bug#940234; Package debian-policy. (Sat, 14 Sep 2019 11:39:12 GMT) (full text, mbox, link).


Acknowledgement sent to Aurelien Jarno <aurel32@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-builds@alioth-lists.debian.net, Debian Policy Editors <debian-policy@lists.debian.org>. (Sat, 14 Sep 2019 11:39:12 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurel32@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: debian-policy: add a section about source reproducibility
Date: Sat, 14 Sep 2019 13:34:49 +0200
Package: debian-policy
Version: 4.4.0.1
Severity: wishlist

There is already a section about reproducibility in the debian-policy,
but it only mentions the binary packages. It might be a good idea to
add a new requirement that repeatedly building the source package in
the same environment produces identical .dsc file modulo the GPG
signature.

I haven't checked how many packages do not fulfill this condition, but
there are for sure packages where the Build-Depends: entry in the dsc
file does not match the debian/control file, as they have been added
manually after the package build. TTBOMK there is nothing preventing
that in the debian policy.

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

debian-policy depends on no packages.

Versions of packages debian-policy recommends:
ii  libjs-sphinxdoc  1.8.5-3

Versions of packages debian-policy suggests:
pn  doc-base  <none>

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy Editors <debian-policy@lists.debian.org>:
Bug#940234; Package debian-policy. (Sat, 14 Sep 2019 14:15:06 GMT) (full text, mbox, link).


Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy Editors <debian-policy@lists.debian.org>. (Sat, 14 Sep 2019 14:15:06 GMT) (full text, mbox, link).


Message #10 received at 940234@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>
To: Aurelien Jarno <aurel32@debian.org>, 940234@bugs.debian.org
Subject: Re: Bug#940234: debian-policy: add a section about source reproducibility
Date: Sat, 14 Sep 2019 14:01:28 +0000
[Message part 1 (text/plain, inline)]
On Sat, Sep 14, 2019 at 01:34:49PM +0200, Aurelien Jarno wrote:
> There is already a section about reproducibility in the debian-policy,
> but it only mentions the binary packages. It might be a good idea to
> add a new requirement that repeatedly building the source package in
> the same environment produces identical .dsc file modulo the GPG
> signature.
> 
> I haven't checked how many packages do not fulfill this condition

please do check. last (and only) time we (=r-b) looked, it wasn't
practical at all. this was around 5 years ago, but I don't remember any
work done on improving this.


-- 
cheers,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy Editors <debian-policy@lists.debian.org>:
Bug#940234; Package debian-policy. (Sat, 14 Sep 2019 14:33:03 GMT) (full text, mbox, link).


Acknowledgement sent to David Bremner <david@tethera.net>:
Extra info received and forwarded to list. Copy sent to Debian Policy Editors <debian-policy@lists.debian.org>. (Sat, 14 Sep 2019 14:33:03 GMT) (full text, mbox, link).


Message #15 received at 940234@bugs.debian.org (full text, mbox, reply):

From: David Bremner <david@tethera.net>
To: Aurelien Jarno <aurel32@debian.org>, 940234@bugs.debian.org
Subject: Re: Bug#940234: debian-policy: add a section about source reproducibility
Date: Sat, 14 Sep 2019 10:56:02 -0300
Aurelien Jarno <aurel32@debian.org> writes:

> Package: debian-policy
> Version: 4.4.0.1
> Severity: wishlist
>
> There is already a section about reproducibility in the debian-policy,
> but it only mentions the binary packages. It might be a good idea to
> add a new requirement that repeatedly building the source package in
> the same environment produces identical .dsc file modulo the GPG
> signature.
>
> I haven't checked how many packages do not fulfill this condition, but
> there are for sure packages where the Build-Depends: entry in the dsc
> file does not match the debian/control file, as they have been added
> manually after the package build. TTBOMK there is nothing preventing
> that in the debian policy.

I'm not sure if this is exactly the same issue, but I've recently been
thinking about (and messing up) source package reproducibility from git
repos. It is probably to early for policy language to be talking about
git, but it might be worth keeping in mind the fact that there are
various tools producing source packages, sometimes in non-obvious ways.

d



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy Editors <debian-policy@lists.debian.org>:
Bug#940234; Package debian-policy. (Sat, 14 Sep 2019 16:09:03 GMT) (full text, mbox, link).


Acknowledgement sent to Sean Whitton <spwhitton@spwhitton.name>:
Extra info received and forwarded to list. Copy sent to Debian Policy Editors <debian-policy@lists.debian.org>. (Sat, 14 Sep 2019 16:09:03 GMT) (full text, mbox, link).


Message #20 received at 940234@bugs.debian.org (full text, mbox, reply):

From: Sean Whitton <spwhitton@spwhitton.name>
To: Holger Levsen <holger@layer-acht.org>, 940234@bugs.debian.org, Aurelien Jarno <aurel32@debian.org>, 940234@bugs.debian.org
Subject: Re: Bug#940234: debian-policy: add a section about source reproducibility
Date: Sat, 14 Sep 2019 08:58:21 -0700
[Message part 1 (text/plain, inline)]
Hello,

On Sat 14 Sep 2019 at 02:01PM +00, Holger Levsen wrote:

> On Sat, Sep 14, 2019 at 01:34:49PM +0200, Aurelien Jarno wrote:
>> There is already a section about reproducibility in the debian-policy,
>> but it only mentions the binary packages. It might be a good idea to
>> add a new requirement that repeatedly building the source package in
>> the same environment produces identical .dsc file modulo the GPG
>> signature.
>>
>> I haven't checked how many packages do not fulfill this condition
>
> please do check. last (and only) time we (=r-b) looked, it wasn't
> practical at all. this was around 5 years ago, but I don't remember any
> work done on improving this.

Right.  While we can all agree that it would be nice for source package
builds to reproducible, I think our current source package formats make
it quite a hard problem, so it would be good to have some data before we
spend any time discussing this further.

-- 
Sean Whitton
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy Editors <debian-policy@lists.debian.org>:
Bug#940234; Package debian-policy. (Sat, 14 Sep 2019 22:00:03 GMT) (full text, mbox, link).


Acknowledgement sent to Guillem Jover <guillem@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy Editors <debian-policy@lists.debian.org>. (Sat, 14 Sep 2019 22:00:03 GMT) (full text, mbox, link).


Message #25 received at 940234@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>
To: Sean Whitton <spwhitton@spwhitton.name>, 940234@bugs.debian.org
Cc: Holger Levsen <holger@layer-acht.org>, Aurelien Jarno <aurel32@debian.org>
Subject: Re: Bug#940234: debian-policy: add a section about source reproducibility
Date: Sat, 14 Sep 2019 23:57:43 +0200
On Sat, 2019-09-14 at 08:58:21 -0700, Sean Whitton wrote:
> On Sat 14 Sep 2019 at 02:01PM +00, Holger Levsen wrote:
> > On Sat, Sep 14, 2019 at 01:34:49PM +0200, Aurelien Jarno wrote:
> >> There is already a section about reproducibility in the debian-policy,
> >> but it only mentions the binary packages. It might be a good idea to
> >> add a new requirement that repeatedly building the source package in
> >> the same environment produces identical .dsc file modulo the GPG
> >> signature.
> >>
> >> I haven't checked how many packages do not fulfill this condition
> >
> > please do check. last (and only) time we (=r-b) looked, it wasn't
> > practical at all. this was around 5 years ago, but I don't remember any
> > work done on improving this.
> 
> Right.  While we can all agree that it would be nice for source package
> builds to reproducible, I think our current source package formats make
> it quite a hard problem, so it would be good to have some data before we
> spend any time discussing this further.

Back when we were fixing the binary package reproducible problems
within dpkg, I also checked the source side, and fixed a few
problematic cases. Assuming the same tools installed as defined in
the .buildinfo file, and the same content in the unpacked source
tree, dpkg-source should be producing the same output source packages.
If this does not hold, I'd consider it a bug to be fixed.

Thanks,
Guillem



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy Editors <debian-policy@lists.debian.org>:
Bug#940234; Package debian-policy. (Sun, 15 Sep 2019 12:57:03 GMT) (full text, mbox, link).


Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy Editors <debian-policy@lists.debian.org>. (Sun, 15 Sep 2019 12:57:03 GMT) (full text, mbox, link).


Message #30 received at 940234@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>
To: Guillem Jover <guillem@debian.org>, 940234@bugs.debian.org
Cc: Sean Whitton <spwhitton@spwhitton.name>, Aurelien Jarno <aurel32@debian.org>
Subject: Re: Bug#940234: debian-policy: add a section about source reproducibility
Date: Sun, 15 Sep 2019 12:53:34 +0000
[Message part 1 (text/plain, inline)]
On Sat, Sep 14, 2019 at 11:57:43PM +0200, Guillem Jover wrote:
> > >> I haven't checked how many packages do not fulfill this condition
> > > please do check. last (and only) time we (=r-b) looked, it wasn't
> > > practical at all. this was around 5 years ago, but I don't remember any
> > > work done on improving this.
> Back when we were fixing the binary package reproducible problems
> within dpkg, I also checked the source side, and fixed a few
> problematic cases. Assuming the same tools installed as defined in
> the .buildinfo file, and the same content in the unpacked source
> tree, dpkg-source should be producing the same output source packages.

oh, cool, thanks for this spreading this information!

> If this does not hold, I'd consider it a bug to be fixed.

great!

so now someone just needs to do something^wa rebuild of say 1000 source
packages and share the stats...


-- 
cheers,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy Editors <debian-policy@lists.debian.org>:
Bug#940234; Package debian-policy. (Mon, 20 Jun 2022 12:48:02 GMT) (full text, mbox, link).


Acknowledgement sent to Teukumif tahulziran <tteukumiftahul09@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Policy Editors <debian-policy@lists.debian.org>. (Mon, 20 Jun 2022 12:48:02 GMT) (full text, mbox, link).


Message #35 received at 940234@bugs.debian.org (full text, mbox, reply):

From: Teukumif tahulziran <tteukumiftahul09@gmail.com>
To: 940234@bugs.debian.org
Subject: Re: debian-policy: add a section about source reproducibility
Date: Mon, 20 Jun 2022 19:44:03 +0700
[Message part 1 (text/plain, inline)]
On Sat, 14 Sep 2019 13:34:49 +0200 Aurelien Jarno <aurel32@debian.org>
wrote:
> Package: debian-policy
> Version: 4.4.0.1
> Severity: wishlist
>
> There is already a section about reproducibility in the debian-policy,
> but it only mentions the binary packages. It might be a good idea to
> add a new requirement that repeatedly building the source package in
> the same environment produces identical .dsc file modulo the GPG
> signature.
>
> I haven't checked how many packages do not fulfill this condition, but
> there are for sure packages where the Build-Depends: entry in the dsc
> file does not match the debian/control file, as they have been added
> manually after the package build. TTBOMK there is nothing preventing
> that in the debian policy.
>
> -- System Information:
> Debian Release: bullseye/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
> Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> debian-policy depends on no packages.
>
> Versions of packages debian-policy recommends:
> ii  libjs-sphinxdoc  1.8.5-3
>
> Versions of packages debian-policy suggests:
> pn  doc-base  <none>
>
> -- no debconf information
>
>
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy Editors <debian-policy@lists.debian.org>:
Bug#940234; Package debian-policy. (Mon, 20 Jun 2022 12:48:03 GMT) (full text, mbox, link).


Acknowledgement sent to Teukumif tahulziran <tteukumiftahul09@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Policy Editors <debian-policy@lists.debian.org>. (Mon, 20 Jun 2022 12:48:04 GMT) (full text, mbox, link).


Message #40 received at 940234@bugs.debian.org (full text, mbox, reply):

From: Teukumif tahulziran <tteukumiftahul09@gmail.com>
To: 940234@bugs.debian.org
Subject: Re: debian-policy: add a section about source reproducibility
Date: Mon, 20 Jun 2022 19:43:45 +0700
[Message part 1 (text/plain, inline)]
On Sat, 14 Sep 2019 13:34:49 +0200 Aurelien Jarno <aurel32@debian.org>
wrote:
> Package: debian-policy
> Version: 4.4.0.1
> Severity: wishlist
>
> There is already a section about reproducibility in the debian-policy,
> but it only mentions the binary packages. It might be a good idea to
> add a new requirement that repeatedly building the source package in
> the same environment produces identical .dsc file modulo the GPG
> signature.
>
> I haven't checked how many packages do not fulfill this condition, but
> there are for sure packages where the Build-Depends: entry in the dsc
> file does not match the debian/control file, as they have been added
> manually after the package build. TTBOMK there is nothing preventing
> that in the debian policy.
>
> -- System Information:
> Debian Release: bullseye/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
> Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> debian-policy depends on no packages.
>
> Versions of packages debian-policy recommends:
> ii  libjs-sphinxdoc  1.8.5-3
>
> Versions of packages debian-policy suggests:
> pn  doc-base  <none>
>
> -- no debconf information
>
>
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy Editors <debian-policy@lists.debian.org>:
Bug#940234; Package debian-policy. (Mon, 20 Jun 2022 13:15:02 GMT) (full text, mbox, link).


Acknowledgement sent to Bill Allombert <ballombe@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy Editors <debian-policy@lists.debian.org>. (Mon, 20 Jun 2022 13:15:02 GMT) (full text, mbox, link).


Message #45 received at 940234@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <ballombe@debian.org>
To: Aurelien Jarno <aurel32@debian.org>, 940234@bugs.debian.org
Subject: Re: Bug#940234: debian-policy: add a section about source reproducibility
Date: Mon, 20 Jun 2022 15:10:29 +0200
On Mon, Jun 20, 2022 at 07:43:45PM +0700, Teukumif tahulziran wrote:
> On Sat, 14 Sep 2019 13:34:49 +0200 Aurelien Jarno <aurel32@debian.org>
> wrote:
> > Package: debian-policy
> > Version: 4.4.0.1
> > Severity: wishlist
> >
> > There is already a section about reproducibility in the debian-policy,
> > but it only mentions the binary packages. It might be a good idea to
> > add a new requirement that repeatedly building the source package in
> > the same environment produces identical .dsc file modulo the GPG
> > signature.
> >
> > I haven't checked how many packages do not fulfill this condition, but
> > there are for sure packages where the Build-Depends: entry in the dsc
> > file does not match the debian/control file, as they have been added
> > manually after the package build. TTBOMK there is nothing preventing
> > that in the debian policy.

What about the fact that .dsc include the hash of the .debian.tar.xz
file that contains the debian/control, so changing debian/control
invalidate the hash ?

Cheers,
Bill



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy Editors <debian-policy@lists.debian.org>:
Bug#940234; Package debian-policy. (Mon, 20 Jun 2022 15:33:05 GMT) (full text, mbox, link).


Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy Editors <debian-policy@lists.debian.org>. (Mon, 20 Jun 2022 15:33:05 GMT) (full text, mbox, link).


Message #50 received at 940234@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>
To: Teukumif tahulziran <tteukumiftahul09@gmail.com>, 940234@bugs.debian.org
Subject: Re: Bug#940234: debian-policy: add a section about source reproducibility
Date: Mon, 20 Jun 2022 15:22:10 +0000
[Message part 1 (text/plain, inline)]
On Mon, Jun 20, 2022 at 07:43:45PM +0700, Teukumif tahulziran wrote:
> > There is already a section about reproducibility in the debian-policy,
> > but it only mentions the binary packages. It might be a good idea to
> > add a new requirement that repeatedly building the source package in
> > the same environment produces identical .dsc file modulo the GPG
> > signature.

as you say, it *might* be a good idea, but in our experience it's not practical
because too many sources cannot be rebuild reproducibly.

Also, and probably more importantly, it's quite unclear what the practical 
benefit is.... can you explain?

> > I haven't checked how many packages do not fulfill this condition

You should definitly do this before asking policy to be changed.
It's also not really hard, just loop through all source packages,
download them, rebuild them, compare.

And you might want to start with just the essential set. 

and, TBH, I'm pretty sure very few source packages can be rebuild 
reproducible. Proove me wrong! :)
	

-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The corona crisis is peanuts compared to the global climate disaster.
[signature.asc (application/pgp-signature, inline)]

Added tag(s) moreinfo. Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Sun, 10 Sep 2023 02:54:04 GMT) (full text, mbox, link).


Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility. (Sun, 10 Sep 2023 04:27:03 GMT) (full text, mbox, link).


Notification sent to Aurelien Jarno <aurel32@debian.org>:
Bug acknowledged by developer. (Sun, 10 Sep 2023 04:27:03 GMT) (full text, mbox, link).


Message #57 received at 940234-done@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>
To: Holger Levsen <holger@layer-acht.org>
Cc: 940234-done@bugs.debian.org
Subject: Re: Bug#940234: debian-policy: add a section about source reproducibility
Date: Sat, 09 Sep 2023 21:23:52 -0700
Holger Levsen <holger@layer-acht.org> writes:

>>> I haven't checked how many packages do not fulfill this condition

> You should definitly do this before asking policy to be changed.
> It's also not really hard, just loop through all source packages,
> download them, rebuild them, compare.

> And you might want to start with just the essential set. 

> and, TBH, I'm pretty sure very few source packages can be rebuild 
> reproducible. Proove me wrong! :)

It's been about a year since the last response on this bug, and I think
the most recent round of responses were to someone who quoted the entire
original bug report without adding any new content.  I don't think we can
do anything with this bug on the Policy side until someone confirms that
source package reproducibility is viable, so I'm going to close this bug
for the time being.

If someone wants to do the work to confirm that, please do open a new bug
so that we can document it in Policy.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>



Added tag(s) wontfix. Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Sun, 10 Sep 2023 04:33:04 GMT) (full text, mbox, link).


Removed tag(s) moreinfo. Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Sun, 10 Sep 2023 04:39:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy Editors <debian-policy@lists.debian.org>:
Bug#940234; Package debian-policy. (Mon, 11 Sep 2023 01:12:14 GMT) (full text, mbox, link).


Acknowledgement sent to Edward Little <e.little598@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Policy Editors <debian-policy@lists.debian.org>. (Mon, 11 Sep 2023 01:12:14 GMT) (full text, mbox, link).


Message #66 received at 940234@bugs.debian.org (full text, mbox, reply):

From: Edward Little <e.little598@gmail.com>
To: 940234@bugs.debian.org
Subject: Re: Bug#940234: marked as done (debian-policy: add a section about source reproducibility)
Date: Sun, 10 Sep 2023 21:08:37 -0400
[Message part 1 (text/plain, inline)]
Please remove the following email address:  e.little598@gmail.com


On Sun, Sep 10, 2023 at 12:27 AM Debian Bug Tracking System <
owner@bugs.debian.org> wrote:

> Your message dated Sat, 09 Sep 2023 21:23:52 -0700
> with message-id <87o7iazmef.fsf@hope.eyrie.org>
> and subject line Re: Bug#940234: debian-policy: add a section about source
> reproducibility
> has caused the Debian Bug report #940234,
> regarding debian-policy: add a section about source reproducibility
> to be marked as done.
>
> This means that you claim that the problem has been dealt with.
> If this is not the case it is now your responsibility to reopen the
> Bug report if necessary, and/or fix the problem forthwith.
>
> (NB: If you are a system administrator and have no idea what this
> message is talking about, this may indicate a serious mail system
> misconfiguration somewhere. Please contact owner@bugs.debian.org
> immediately.)
>
>
> --
> 940234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940234
> Debian Bug Tracking System
> Contact owner@bugs.debian.org with problems
>
>
>
> ---------- Forwarded message ----------
> From: Aurelien Jarno <aurel32@debian.org>
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> Cc:
> Bcc:
> Date: Sat, 14 Sep 2019 13:34:49 +0200
> Subject: debian-policy: add a section about source reproducibility
> Package: debian-policy
> Version: 4.4.0.1
> Severity: wishlist
>
> There is already a section about reproducibility in the debian-policy,
> but it only mentions the binary packages. It might be a good idea to
> add a new requirement that repeatedly building the source package in
> the same environment produces identical .dsc file modulo the GPG
> signature.
>
> I haven't checked how many packages do not fulfill this condition, but
> there are for sure packages where the Build-Depends: entry in the dsc
> file does not match the debian/control file, as they have been added
> manually after the package build. TTBOMK there is nothing preventing
> that in the debian policy.
>
> -- System Information:
> Debian Release: bullseye/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
> Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
> LANGUAGE=fr (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> debian-policy depends on no packages.
>
> Versions of packages debian-policy recommends:
> ii  libjs-sphinxdoc  1.8.5-3
>
> Versions of packages debian-policy suggests:
> pn  doc-base  <none>
>
> -- no debconf information
>
>
>
> ---------- Forwarded message ----------
> From: Russ Allbery <rra@debian.org>
> To: Holger Levsen <holger@layer-acht.org>
> Cc: 940234-done@bugs.debian.org
> Bcc:
> Date: Sat, 09 Sep 2023 21:23:52 -0700
> Subject: Re: Bug#940234: debian-policy: add a section about source
> reproducibility
> Holger Levsen <holger@layer-acht.org> writes:
>
> >>> I haven't checked how many packages do not fulfill this condition
>
> > You should definitly do this before asking policy to be changed.
> > It's also not really hard, just loop through all source packages,
> > download them, rebuild them, compare.
>
> > And you might want to start with just the essential set.
>
> > and, TBH, I'm pretty sure very few source packages can be rebuild
> > reproducible. Proove me wrong! :)
>
> It's been about a year since the last response on this bug, and I think
> the most recent round of responses were to someone who quoted the entire
> original bug report without adding any new content.  I don't think we can
> do anything with this bug on the Policy side until someone confirms that
> source package reproducibility is viable, so I'm going to close this bug
> for the time being.
>
> If someone wants to do the work to confirm that, please do open a new bug
> so that we can document it in Policy.
>
> --
> Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>
[Message part 2 (text/html, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 Oct 2023 07:26:44 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Feb 3 06:13:28 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.