Hi all, On 5/10/26 06:47, Paul Gevers wrote:
Reproducibility ===============Aided by the efforts of the Reproducible Builds project [1], we've decided it's time to say that Debian must ship reproducible packages. Since yesterday, we have enabled our migration software to block migration of new packages that can't be reproduced [2] or existing packages (in testing) that regress in reproducibility.
I forgot to mention that while we of course want all packages in testing to reproduce, we recognize there will be exceptions (which numbers hopefully will reduce over time). If you think your package needs an exception, please file a bug against the release.debian.org pseudo package (option 4 "other" in reportbug for now) and explain why you're not able to fix the issue.
I recognize that for packages that are not reproduced because of "NT_GNU_BUILD_ID" differences the current diffoscope log is not ideal as the real delta is stripped off and probably only visible in the dbgsym packages which aren't (currently) part of the automated comparison.
I'd like to iterate what Gioele mentioned earlier in this thread, there is a very clear difference in the way reproducibility is tested on https://tests.reproducible-builds.org/ vs https://reproduce.debian.net/. While the former is a stress test, the latter tries, with the info in the .buildinfo file, to reproduce what we ship. It's the latter case what some people call "easy", but it's also what matters to our users: can the binaries *they* use be reproduced.
For those that want to have an overview of their packages, both https://udd.debian.org/reproducibility/ and https://qa.debian.org/developer.php show the reproducibility and reproduced state.
Paul
OpenPGP_signature.asc
Description: OpenPGP digital signature
