“Reproducible builds” roundtable DebConf15 — 2015-08-20 ♥ dpkg ==== * #759999 - timestamps in ar container Timestamps in the ar container is the only thing that qualifies the build environment. Guillem wants the .buildinfo in the archive before removing the timestamp in the ar container so we don't lose that information. * #787980 - normalize permissions Not reviewed yet by Guillem Future scope: Debian implementation of tar * #719845 - order in {data,control}.tar.gz Guillem has a patch, we just need to test it on reproducible.debian.net. debhelper ========= * #759886 Normalise mtimes in dh_builddeb Maybe move this to dpkg, but this might require an internal tar implementation in dpkg. * #759895 add dh_strip_nondeterminism call - merged in git \o/ ♥ * #791823 SOURCE_DATE_EPOCH - merged in git \o/ ♥ .buildinfo ========== https://wiki.debian.org/ReproducibleBuilds/History#A.buildinfo_control_files Lunar wants this as separately uploaded file; others propose putting the information in .changes or as extra member of .deb Reasons not to merge with .changes: * .changes represents a transaction * .changes doesn't have standardised name * .changes not generally available on mirrors Reasons not to include in .deb: * The .buildinfo cannot contain a build date/time (which I think Guillem wanted? See above) Requirements for .buildinfo * multiple signatures * Future QA: change toolchain and still see if reproducible (argument against in deb) Proposal: don't add MD5 / sha1 Proposal: Add SHA512 sum of the dependency in addition to " (= )" in Build-Environment Fixed build path ================ The “Build-Path” is a privacy leak. But most binaries we build now already contain the build path. Proposal: We could only include Build-Path in the .buildinfo if the path root is in a whitelist. Use /tmp/buildd in sbuild/buildd => /var/src/debian/findutils-2.83-3/ ? sbuild now uses partly randomised build path, apparently so that users building same package don't conflict. Should be addressed using mount namespaces instead (at least on Linux). Can we avoid including build-path in the binaries, making this moot? * debugedit would get us part way there; OBS uses it * __FILE__ in assertions also needs fixing Agreement on fixing it in sbuild and store it now until we really fix the problem.