From bf256860fbf9d7dccc05fe1aa85841b7a1b1d712 Mon Sep 17 00:00:00 2001 From: Sean Whitton Date: Mon, 14 Aug 2017 09:23:46 -0700 Subject: [PATCH] Packages should build reproducibly * Policy: Packages should build reproducibly Wording: Sean Whitton Seconded: Holger Levsen Seconded: Ondrej Novy Seconded: Russ Allbery Seconded: Ximin Luo Seconded: gregor herrmann Closes: #844431 --- debian/changelog | 8 ++++++++ policy/ch-source.rst | 26 ++++++++++++++++++++++++++ policy/upgrading-checklist.rst | 8 ++++++++ 3 files changed, 42 insertions(+) diff --git a/debian/changelog b/debian/changelog index 1a2ee1e..19cae24 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,14 @@ debian-policy (4.0.2.0) UNRELEASED; urgency=medium [ Sean Whitton ] + * Policy: Packages should build reproducibly + Wording: Sean Whitton + Seconded: Holger Levsen + Seconded: Ondrej Novy + Seconded: Russ Allbery + Seconded: Ximin Luo + Seconded: gregor herrmann + Closes: #844431 * Fix a singular/plural error in 9.6. Thanks to Didier Raboud for pointing out the problem. diff --git a/policy/ch-source.rst b/policy/ch-source.rst index c941e6d..f706a13 100644 --- a/policy/ch-source.rst +++ b/policy/ch-source.rst @@ -663,6 +663,28 @@ particularly complex or unintuitive source layout or build system (for example, a package that builds the same source multiple times to generate different binary packages). +Reproducibility +--------------- + +Packages should build reproducibly, which for the purposes of this +document [#]_ means that given + +- a version of a source package unpacked at a given path; +- a set of versions of installed build dependencies; +- a set of environment variable values; +- a build architecture; and +- a host architecture, + +repeatedly building the source package for the build architecture on +any machine of the host architecture with those versions of the build +dependencies installed and exactly those environment variable values +set will produce bit-for-bit identical binary packages. + +It is recommended that packages produce bit-for-bit identical binaries +even if most environment variables and build paths are varied. It is +intended for this stricter standard to replace the above when it is +easier for packages to meet it. + .. [#] See the file ``upgrading-checklist`` for information about policy which has changed between different versions of this document. @@ -792,3 +814,7 @@ generate different binary packages). often creates either static linking or shared library conflicts, and, most importantly, increases the difficulty of handling security vulnerabilities in the duplicated code. + +.. [#] + This is Debian's precisification of the `reproducible-builds.org + definition `_. diff --git a/policy/upgrading-checklist.rst b/policy/upgrading-checklist.rst index 6ba4920..5d9c263 100644 --- a/policy/upgrading-checklist.rst +++ b/policy/upgrading-checklist.rst @@ -48,6 +48,14 @@ Unreleased. ``debian/watch`` configuration to indicate how to find the upstream signature for new releases is recommended. +4.15 + Packages should build reproducibly when certain factors are held + constant; see 4.15 for the list. + +4.15 + Packages are recommended to build reproducibly even when build + paths and most environment variables are allowed to vary. + Version 4.0.1 ------------- -- 2.11.4.GIT