On 2024-03-05, John Gilmore wrote: >>>> ... it makes reproducibilty from around 80-85% of all >>>> packages to >95%, IOW with this shortcut we can have meaningful >>>> reproducibility >>>> *many years* sooner, than without. ... > I'd rather that we knew and documented that 57% of > packages are absolutely reproducible, 23% require SOURCE_DATE_EPOCH, and > 12% still require a standardized source code directory, than to claim > all 95% are "meaningfully reproducible" today.
Sounds like an interesting project for someone with significant spare time and computing resources to take on! I take "meaningfully reproducible" to mean it is documented how to produce bit-for-bit identical results. In some cases, this requires metadata (e.g. Debian .buildinfo file) that you need to reproduce the build environment, and in some cases, this means you use the standard build tool for the distribution (e.g. nix or guix). Those numbers Holger mentioned were because we historically had a compromise where our tests on tests.reproducible-builds.org Debian testing did not vary the build path and Debian unstable did vary the build path, and the difference mostly held at about 10-15% over the years. In Debian, the build path is usually included in the .buildinfo file (at least for builds produced by Debian), which describes the packages and dependencies and various things about the build environment necessary to reproduce the build. It would be pretty impractical, at least for Debian tests, to test without SOURC_DATE_EPOCH, as dpkg will set SOURCE_DATE_EPOCH from debian/changelog for quite a few years now. Unless you want to test reproducibility of antique Debian releases... live well, vagrant
signature.asc
Description: PGP signature