On Mon, Jun 20, 2022 at 07:43:45PM +0700, Teukumif tahulziran wrote: > > There is already a section about reproducibility in the debian-policy, > > but it only mentions the binary packages. It might be a good idea to > > add a new requirement that repeatedly building the source package in > > the same environment produces identical .dsc file modulo the GPG > > signature. as you say, it *might* be a good idea, but in our experience it's not practical because too many sources cannot be rebuild reproducibly. Also, and probably more importantly, it's quite unclear what the practical benefit is.... can you explain? > > I haven't checked how many packages do not fulfill this condition You should definitly do this before asking policy to be changed. It's also not really hard, just loop through all source packages, download them, rebuild them, compare. And you might want to start with just the essential set. and, TBH, I'm pretty sure very few source packages can be rebuild reproducible. Proove me wrong! :) -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ The corona crisis is peanuts compared to the global climate disaster.
Attachment:
signature.asc
Description: PGP signature