On 2024-03-04, John Gilmore wrote: > Vagrant Cascadian wrote: >> > > to make it easier to debug other issues, although deprioritizing them >> > > makes sense, given buildd.debian.org now normalizes them. > > James Addison via rb-general <rb-general@lists.reproducible-builds.org> wrote: >> Ok, thank you both. A number of these bugs are currently recorded at >> severity >> level 'normal'; unless told not to, I'll spend some time to double-check >> their >> details and - assuming all looks OK - will bulk downgrade them to 'wishlist' >> severity a week or so from now.
Well, I think we should change it to "minor" rather than "wishlist" severity, but that may be splitting hairs; I do not find a huge amount of difference between debian bug severities... they are pretty much either critical/serious/grave and thus must be fixed, or normal/minor/wishlist and fixed when someone feels like it. > I may be confused about this. These bug reports are that a package cannot > be reproducibly built because its output binary depends on the directory in > which > it was built? > > Why would these become "wishlist" bugs as opposed to actual reproducibility > bugs > that deserve fixing, just because one server at Debian no longer invokes this > bug because it always uses the same build directory? > > If an end user can't download a source package (into any directory on > any machine), and build it into the same exact binary as the one that Debian > ships, this is not a "wishlist" idea for some future enhancement. This > is a real issue that prevents the code from being reproducible. I agree it is a real issue, but admit it is fairly easy to work around, given most package building tools use chroots or containers or similar, it seems acceptible to treat build paths as a lower priority. Compare that to timestamps, which are non-trivial to force to use the exact same clock moving at the exact same rate, I would say build path normalization is quite tolerable, if not ideal. You cannot just build on "any machine", the machine needs to have a sufficiently similar build environment (e.g. exactly matching compiler versions, same architecture, etc.) and weather the build path is part of that or not is simply a decision to make. Several (many?) other distros normalize the build path as part of their standard build tooling; Debian is arguably a latecomer to that practice. I have definitely argued in favor of addressing build path issues, and encourage people to fix them, and have personally spent more than a small amount of time working on it, and we have made huge progress on fixing (tens of?) thousands of them. There are only so many hours in the day and so many people actively working on fixing things... there may be bigger fires to put out at the moment. live well, vagrant
signature.asc
Description: PGP signature