On Sat, Aug 12, 2017 at 11:23:14AM -0700, Sean Whitton wrote: > I am seeking formal seconds for this patch, from any DD. > > In particular: > > - for now, we only require reproducibility when the set of environment > variable values set is exactly the same > > This is because > > - the reproducible builds team aren't yet totally clear on the > variables that they think may be allowed to vary > > - we should wait until .buildinfo is properly documented in policy, > and then we can refer to that file > > - we don't require reproducibility when build paths vary > > This is because > > - since there is not a consensus on whether we should require this, > and there is strong consensus on the requirement of reproducibility > if the path does /not/ vary, this issue should not block this change. > We should open a separate bug against debian-policy > > diff --git a/policy/ch-source.rst b/policy/ch-source.rst > index 127b125..cc4b020 100644 > --- a/policy/ch-source.rst > +++ b/policy/ch-source.rst > @@ -661,6 +661,22 @@ particularly complex or unintuitive source layout or > build system (for > example, a package that builds the same source multiple times to > generate different binary packages). > > +Reproducibility > +--------------- > + > +Packages should build reproducibly, which for the purposes of this > +document [#]_ means that given > + > +- a version of a source package unpacked at a given path; > +- a set of versions of installed build dependencies; > +- a set of environment variable values; and > +- a build architecture, > + > +repeatedly building the source package on any machine of the same > +architecture with those versions of the build dependencies installed > +and exactly those environment variable values set will produce > +bit-for-bit identical binary packages. > + > .. [#] > See the file ``upgrading-checklist`` for information about policy > which has changed between different versions of this document. > @@ -790,3 +806,7 @@ generate different binary packages). > often creates either static linking or shared library conflicts, and, > most importantly, increases the difficulty of handling security > vulnerabilities in the duplicated code. > + > +.. [#] > + This is Debian's precisification of the `reproducible-builds.org > + definition <https://reproducible-builds.org/docs/definition/>`_.
very happily seconded, many thanks to everyone who has contributed to this bug directly or "indirectly" (I'm thinking specifically about Lunar here). -- cheers, Holger (who watched http://meetings-archive.debian.net/pub/debian-meetings/2017/debconf17/reproducible-builds-status-update.vp8.webm today and was equally happy when seeing the whole audience agreeing this should be in policy - and the applause after Russ's closing statement was also very very niceā¦!)
signature.asc
Description: Digital signature