control: tag -1 +patch This patch incorporates the feedback given on the proposal I sent yesterday, both in this bug and in person from Russ and Holger (thank you to all).
I am seeking formal seconds for this patch, from any DD. In particular: - for now, we only require reproducibility when the set of environment variable values set is exactly the same This is because - the reproducible builds team aren't yet totally clear on the variables that they think may be allowed to vary - we should wait until .buildinfo is properly documented in policy, and then we can refer to that file - we don't require reproducibility when build paths vary This is because - since there is not a consensus on whether we should require this, and there is strong consensus on the requirement of reproducibility if the path does /not/ vary, this issue should not block this change. We should open a separate bug against debian-policy diff --git a/policy/ch-source.rst b/policy/ch-source.rst index 127b125..cc4b020 100644 --- a/policy/ch-source.rst +++ b/policy/ch-source.rst @@ -661,6 +661,22 @@ particularly complex or unintuitive source layout or build system (for example, a package that builds the same source multiple times to generate different binary packages). +Reproducibility +--------------- + +Packages should build reproducibly, which for the purposes of this +document [#]_ means that given + +- a version of a source package unpacked at a given path; +- a set of versions of installed build dependencies; +- a set of environment variable values; and +- a build architecture, + +repeatedly building the source package on any machine of the same +architecture with those versions of the build dependencies installed +and exactly those environment variable values set will produce +bit-for-bit identical binary packages. + .. [#] See the file ``upgrading-checklist`` for information about policy which has changed between different versions of this document. @@ -790,3 +806,7 @@ generate different binary packages). often creates either static linking or shared library conflicts, and, most importantly, increases the difficulty of handling security vulnerabilities in the duplicated code. + +.. [#] + This is Debian's precisification of the `reproducible-builds.org + definition <https://reproducible-builds.org/docs/definition/>`_. -- Sean Whitton
Description: PGP signature