Your message dated Sat, 09 Sep 2023 21:23:52 -0700
with message-id <87o7iazmef....@hope.eyrie.org>
and subject line Re: Bug#940234: debian-policy: add a section about source
reproducibility
has caused the Debian Bug report #940234,
regarding debian-policy: add a section about source reproducibility
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
940234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940234
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: debian-policy
Version: 4.4.0.1
Severity: wishlist
There is already a section about reproducibility in the debian-policy,
but it only mentions the binary packages. It might be a good idea to
add a new requirement that repeatedly building the source package in
the same environment produces identical .dsc file modulo the GPG
signature.
I haven't checked how many packages do not fulfill this condition, but
there are for sure packages where the Build-Depends: entry in the dsc
file does not match the debian/control file, as they have been added
manually after the package build. TTBOMK there is nothing preventing
that in the debian policy.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
debian-policy depends on no packages.
Versions of packages debian-policy recommends:
ii libjs-sphinxdoc 1.8.5-3
Versions of packages debian-policy suggests:
pn doc-base <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Holger Levsen <hol...@layer-acht.org> writes:
>>> I haven't checked how many packages do not fulfill this condition
> You should definitly do this before asking policy to be changed.
> It's also not really hard, just loop through all source packages,
> download them, rebuild them, compare.
> And you might want to start with just the essential set.
> and, TBH, I'm pretty sure very few source packages can be rebuild
> reproducible. Proove me wrong! :)
It's been about a year since the last response on this bug, and I think
the most recent round of responses were to someone who quoted the entire
original bug report without adding any new content. I don't think we can
do anything with this bug on the Policy side until someone confirms that
source package reproducibility is viable, so I'm going to close this bug
for the time being.
If someone wants to do the work to confirm that, please do open a new bug
so that we can document it in Policy.
--
Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
--- End Message ---
