Hello, On Sat, Aug 12 2017, Russ Allbery wrote:
> I suspect we want to say build and host architecture for right now.
> (Maybe we can later aspire to making the build architecture not
> matter.)
On Sat, Aug 12 2017, Ximin Luo wrote:
> To echo dkg and others' comments, it would be nice if we could add
> here:
>
> +Packages are encouraged to produce bit-for-bit identical binary
> packages even +if most environment variables and build paths are
> varied. This is technically +more difficult at the time of writing,
> but it is intended that this stricter +definition would replace the
> above one, when appropriate in the future.
Here is an updated patch addressing these. I reworded it to use
'recommended' and changed the tone to better suit policy.
Thank you Ximin, Russ and Johannes!
> "precisification" -> "more precise version"
Our definition is not actually a /version/ of the
reproducible-builds.org definition -- that would imply that our
definition could replace the reproducible-builds.org definition, like
upgrading a package.
'precisification' means roughly "filling out the missing specification
when it is appropriate to fill it out", which is what the r-p.org
definition instructs distributors to do.
diff --git a/policy/ch-source.rst b/policy/ch-source.rst
index 127b125..6e32870 100644
--- a/policy/ch-source.rst
+++ b/policy/ch-source.rst
@@ -661,6 +661,28 @@ particularly complex or unintuitive source layout or build
system (for
example, a package that builds the same source multiple times to
generate different binary packages).
+Reproducibility
+---------------
+
+Packages should build reproducibly, which for the purposes of this
+document [#]_ means that given
+
+- a version of a source package unpacked at a given path;
+- a set of versions of installed build dependencies;
+- a set of environment variable values;
+- a build architecture; and
+- a host architecture,
+
+repeatedly building the source package for the build architecture on
+any machine of the host architecture with those versions of the build
+dependencies installed and exactly those environment variable values
+set will produce bit-for-bit identical binary packages.
+
+It is recommended that packages produce bit-for-bit identical binaries
+even if most environment variables and build paths are varied. It is
+intended for this stricter standard to replace the above when it is
+easier for packages to meet it.
+
.. [#]
See the file ``upgrading-checklist`` for information about policy
which has changed between different versions of this document.
@@ -790,3 +812,7 @@ generate different binary packages).
often creates either static linking or shared library conflicts, and,
most importantly, increases the difficulty of handling security
vulnerabilities in the duplicated code.
+
+.. [#]
+ This is Debian's precisification of the `reproducible-builds.org
+ definition <https://reproducible-builds.org/docs/definition/>`_.
--
Sean Whitton
signature.asc
Description: PGP signature
