1 min read

Yesterday, Holger Levsen, a member of the team maintaining reproducible.debian.net, started a discussion on reproducible builds, stating that “Debian Buster will only be 54% reproducible (while we could be at >90%)”.

He started off by stating that tests indicate Debian Buster’s 26476 source packages (92.8%) out of 28523 source packages in total can be built reproducibly in buster/amd64. The 28523 source packages build 57448 binary packages.

Next, by looking at binary packages that Debian actually distributes, he says that Vagrant came up with an idea to check buildinfo.debian.net for .deb files for which there exists 2 or more .buildinfo.

Turning this into a Jenkins job, he checked the above idea for all 57448 binary
packages (including downloading all those .deb files from ftp.d.o)  in amd64/buster/main. He obtained the following results:

reproducible packages in buster/amd64: 30885: (53.7600%)
unreproducible packages in buster/amd64: 26543: (46.2000%)
reproducible binNMUs in buster/amd64: 0: (0%)
unreproducible binNMU in buster/amd64: 7423: (12.9200%)

He suggests that binNMUs are unreproducible because of their design and his proposed solution to obtain reproducible nature is that ‘binNMUs should be replaced by easy “no-change-except-debian/changelog-uploads‘. This means a 12% increase in reproducibility from 54%. Next, he also discovered that 6804 source packages need a rebuild from December 2016. This is because these packages were built with an old dpkg not producing .buildinfo
files. 6804 of 28523 accounts for 23.9%. Summing everything up- 54%+12%+24% equals 90% reproducibility.

Refer to the entire discussion thread for more details on this news.

Read Next

Google Project Zero discovers a cache invalidation bug in Linux memory management, Ubuntu and Debian remain vulnerable

User discovers bug in debian stable kernel upgrade; armmp package affected

Debian 9.7 released with fix for RCE flaw