Hi Shengjing, Thanks for your reply! One question I still have is: *How would the Debian Go packaging team reproduce the build if you were also in my situation?* For example, with `golang-1.10 (=1.10.4-2ubuntu1~18.04.1)` being not available on the Ubuntu official package server now, if the packaging team wants to reproduce the build of `golang-docker-credential-helpers 0.5.0-2`, how would you do it? Would you also encounter the same issue that I'm dealing with right now? Because I'm still new to the concept of reproducible build, I'm wondering whether I'm overlooking some steps that must be done in order to reproduce an earlier build.
Best, Yaobin On Fri, Aug 13, 2021 at 11:25 AM Shengjing Zhu <[email protected]> wrote: > On Fri, Aug 13, 2021 at 6:00 AM Yaobin Wen > <[email protected]> wrote: > > I have some thoughts and questions regarding the possible fixes to the > issue: > > > > 1). Would it be helpful if I do not use the variable > `${misc:Built-Using}` but hard-code the specific version in `control`? But > hard-coding the specific version may cause problems in the future when the > specified version of `golang-1.10` becomes unavailable. > > No. The variable exists for recording the depends which are used for > building. > > > > > 2). Can I simply remove the use of `${misc:Built-Using}`? This email ( > https://lists.debian.org/debian-go/2018/09/msg00010.html) says "we're now > against the policy" which seems to suggest `Built-Using` is not appropriate > here. But if I understand the email correctly, even if this "against > policy" issue were fixed, I would still run into the same issue because > some other field "X-Go-Built-Using" would be used, so I think simply > removing `Built-Using` is not right. > > It's Debian policy, not policy for other distributions. It depends on > you to remove it or not for your own project. > > > > > 3). The unavailability of the older version `1.10.4-2ubuntu1~18.04.1` > of `golang-1.10` seems to suggest that, if I want to truly achieve > reproducible builds, I can't just rely on the external environment. > > Yes. It's not reality to expect reproducible build with different > version of build depends. > > -- > Shengjing Zhu > -- Mine Vision Systems <https://www.minevisionsystems.com/> 5877 Commerce St. Suite 118 Pittsburgh PA, USA, 15206
