Tiled hacker news

Debian must ship reproducible packages

179 points - today at 5:26 AM

Source

Comments

uecker today at 9:47 AM
This is a huge achievement for Debian and the free software world.

It took a while though until this was understood. In 2007 when pointing out on debian-devel that this is needed, I was still told what huge waste of time this would be. And indeed it took a huge amount of work by many people to get there, but it is well worth it.

suprjami today at 11:00 AM
I am always surprised Debian are leading this and not the commercial vendors. You'd think big organisations paying for RHEL and Ubuntu would be beating down the door for verifiable binaries.
perlgeek today at 9:08 AM
https://wiki.debian.org/ReproducibleBuilds has some more infos; some is outdated, but it also has a chart showing how many packages are built in the CI, and how many of those are reproducible builds.

(Orange = FTBR = "failed to build reproducibly")

I'm not good at reading numbers from charts, but I'd guess it's a few percent (4-5ish?).

Zopieux today at 8:16 AM
A great milestone, congrats Debian on taking a stance and holding high standards for yourself, especially in the current era.
jaypatelani today at 7:28 AM
Good thing. NetBSD has fully reproductible build since 2017. https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_...
micw today at 10:22 AM
I wonder why this is a thing nowadays. I use yocto for embedded devices and it was almost a no-brainer to implement reproducible builds. I can also easily enable Debian package management, so everything is already available.
Hendrikto today at 11:15 AM
Why the fuck does that site break the back button? DO NOT do that.
pixel_popping today at 8:34 AM
Forbidden

You don't have permission to access this resource. Apache Server at lists.debian.org Port 443

:/

einpoklum today at 10:57 AM
Debian must ship packages without the hard dependence on systemd.
inglor_cz today at 8:26 AM
Has anyone fought Microsoft Visual Studio successfully to produce reproducible builds of C++ programs? From what I have heard, it is one of the worst contexts to do it.
shevy-java today at 6:53 AM
A small step for debian,

giant leap for mankind.

deleted today at 10:30 AM
idovmamane today at 9:44 AM
[dead]
charcircuit today at 9:56 AM
So much time has been wasted on reproducible builds which could have better spent on securing more important parts of Debian. Practically minor changes like a build timestamp being different is not an issue.
kkfx today at 7:43 AM
Debian, like any other legacy distro, mush became declarative, because the '80s model of manual deploy and the absurd pain of D/I and Preseed must end.
blueflow today at 6:17 AM
zero improvement on end-user experience. does not solve supply chain issues, debian package will reproducabily contain the malware from upstream.