Re: Debian Buster will only be 54% reproducible (while we could be at >90%)
- Date: Wed, 6 Mar 2019 11:59:35 +0100
- From: Matthias Klumpp <matthias@xxxxxxxxxxxx>
- Subject: Re: Debian Buster will only be 54% reproducible (while we could be at >90%)
Am Mi., 6. März 2019 um 10:40 Uhr schrieb peter green <plugwash@xxxxxxxxxxx>:
> > Because of their design, binNMUs are unreproducible, see #894441  for
> > the details (in short: binNMUs are not what they are ment to be: the source
> > is changed and thrown away)
> To be specific, the source tree is extracted, then an entry is added to debian/changelog and then the package is built. This modified source tree is not retained.
(Experience report incoming)
I have once tried that in the Tanglu derivative, and found out that
this wasn't as easy as I initially thought because a lot of packages
run special tools prior to building their sources, e.g. to edit
d/control or to read d/changelog and inject data in several places.
So, the option there was either to create a chroot dedicated to the
source package rebuild (installing all Build-Deps and Pre-Deps prior
to the actual source rebuild), or to not actually rebuild the source
package but just edit the d/changelog file and recreate the tarball.
For Tanglu we went for the "just edit d/changelog and re-tar, re-sign
& upload" which worked fine and without any noticeable issues - this
was mainly due to the limited build power we had at the time. For
Debian, which has a lot more resources, just full rebuilding the
source with all dependencies is likely much cleaner, but this approach
might be a bit slow for huge transitions.
At Ubuntu, some people seem to do this process manually, that is run
some scripts locally, rebuild sources locally & upload (unless that
has changed recently).
In general, having source d/changelog aligned with the actual binaries
produced is a really great goal!
I welcome VSRE emails. See http://vsre.info/