logoalt Hacker News

Debian must ship reproducible packages

177 pointsby robalnitoday at 5:26 AM59 commentsview on HN

Comments

ueckertoday at 9:47 AM

This is a huge achievement for Debian and the free software world.

It took a while though until this was understood. In 2007 when pointing out on debian-devel that this is needed, I was still told what huge waste of time this would be. And indeed it took a huge amount of work by many people to get there, but it is well worth it.

show 1 reply
suprjamitoday at 11:00 AM

I am always surprised Debian are leading this and not the commercial vendors. You'd think big organisations paying for RHEL and Ubuntu would be beating down the door for verifiable binaries.

show 1 reply
perlgeektoday at 9:08 AM

https://wiki.debian.org/ReproducibleBuilds has some more infos; some is outdated, but it also has a chart showing how many packages are built in the CI, and how many of those are reproducible builds.

(Orange = FTBR = "failed to build reproducibly")

I'm not good at reading numbers from charts, but I'd guess it's a few percent (4-5ish?).

show 1 reply
Zopieuxtoday at 8:16 AM

A great milestone, congrats Debian on taking a stance and holding high standards for yourself, especially in the current era.

jaypatelanitoday at 7:28 AM

Good thing. NetBSD has fully reproductible build since 2017. https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_...

show 1 reply
micwtoday at 10:22 AM

I wonder why this is a thing nowadays. I use yocto for embedded devices and it was almost a no-brainer to implement reproducible builds. I can also easily enable Debian package management, so everything is already available.

show 1 reply
Hendriktotoday at 11:15 AM

Why the fuck does that site break the back button? DO NOT do that.

pixel_poppingtoday at 8:34 AM

Forbidden

You don't have permission to access this resource. Apache Server at lists.debian.org Port 443

:/

show 1 reply
einpoklumtoday at 10:57 AM

Debian must ship packages without the hard dependence on systemd.

inglor_cztoday at 8:26 AM

Has anyone fought Microsoft Visual Studio successfully to produce reproducible builds of C++ programs? From what I have heard, it is one of the worst contexts to do it.

show 2 replies
shevy-javatoday at 6:53 AM

A small step for debian,

giant leap for mankind.

show 1 reply
idovmamanetoday at 9:44 AM

[dead]

charcircuittoday at 9:56 AM

So much time has been wasted on reproducible builds which could have better spent on securing more important parts of Debian. Practically minor changes like a build timestamp being different is not an issue.

show 1 reply
kkfxtoday at 7:43 AM

Debian, like any other legacy distro, mush became declarative, because the '80s model of manual deploy and the absurd pain of D/I and Preseed must end.

blueflowtoday at 6:17 AM

zero improvement on end-user experience. does not solve supply chain issues, debian package will reproducabily contain the malware from upstream.

show 7 replies