On 2016-07-19 00:49, Mike Hommey wrote:
On Sun, Jul 17, 2016 at 09:38:31AM -0700, David Bruant wrote:
Out of curiosity, how has is the TOR team handled points 1 and 2?
I cannot answer for TOR, but I can answer for Debian, who also does
reproducible builds of Firefox.
1) is not addressed at all, and while the Firefox package is marked as
being reproducible, it's only because the chk files are not in the
Firefox package, but in the NSS package, which is separate, and is not
reproducible because of the .chk files.
2) Debian doesn't ship .tar.bz2 files, but .deb files, and the tools
that create those files deal with the reproducibility.
That being said, the packages that do reach Debian users are *not*
currently reproducible. Many of the required tools to make it happen are
not used to build normal packages. They are only used in a separate CI
that does two builds with a special toolchain and checks the results
are identical. (At least, that's my understanding of the current status)
It is at least the intention that all those toolchain changes end up in
Debian itself and that packages can be build reproducible in Debian
itself. I know that at least dpkg recently added support for
SOURCE_DATE_EPOCH, so we're making progress, I just don't know what the
current state of everything is.
There was a talk at debconf about it, didn't have time to watch it yet:
http://meetings-archive.debian.net/pub/debian-meetings/2016/debconf16/Reproducible_Builds_status_update.webm
Kurt
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
