<h3>Summary of reproducibility of other projects (all AIUI)</h3>
<p>Many projects support reproducible builds by now, but it's unclear what that means, how it's enforced and how users can know and be confident...</p>
<p>We mostly still haven't found what we're looking for, because it's hard and without 100% it's pointless also.</p>
<h3>Summary of reproducibility of other projects (all AIUI)</h3>
<p>Many projects support reproducible builds by now, but it's unclear what that means, how it's enforced and how users can know and be confident...</p>
<p>We mostly still haven't found what we're looking for, because it's hard and without 100% it's basically impossible to do a sensible user experience.</p>
<p>We mostly still haven't found what we're looking for, because it's really hard. <br>For example: without 100% it's basically impossible to do a sensible user experience.</p>
@@ -420,7 +414,7 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
<p>DebConf20</p>
<p>DebConf21</p>
<pclass="fragment">“I feel I have given warnings that the next Debian release will not be reproducible for years.” is a quote from last year.</p>
<pclass="fragment">“I feel I have given warnings that the next Debian release will not be reproducible for years.” <spanclass="fragment">is a quote from last years.</span></p>
<pclass="fragment">...and I feel fine! 😀</p>
</section>
...
...
@@ -477,30 +471,20 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.
<li>We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.<pclass="fragment">https://beta.tests.reproducible-builds.org/debian <em>is showing</em> rebuilds of ftp.debian.org - huge thanks to Frédéric Pierret for this PoC.</p></li>
<liclass="fragment">Sadly, Frédéric's rebuilder is down atm...</li>
<li>We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.<p>https://beta.tests.reproducible-builds.org/debian <em>is showing</em> rebuilds of ftp.debian.org - huge thanks to Frédéric Pierret for this PoC.</p></li>
<listyle="font-size: 90%">Up until recently we had two main blockers for rebuilders:</li>
<ulstyle="font-size: 80%">
<liclass="fragment">>3000 packages without .buildinfo files, fixed by myself in February 2021 and in June 2022.</li>
<liclass="fragment">snapshot.debian.org was (and is) unusable for rebuilds, fixed by Frédéric Pierret and josch since June 2021, by providing a partial mirror for amd64 only and only going back until January 2017.</li>
<li>We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.</li>
<li> That's why I called 93% (or whatever) a "lie".</li>
<listyle="font-size: 90%">Up until recently we had two main blockers for rebuilders:</li>
<ulstyle="font-size: 80%">
<liclass="fragment">>3000 packages without .buildinfo files, fixed by myself in February 2021 and in June 2022.</li>
<liclass="fragment">snapshot.debian.org was (and is) unusable for rebuilds, fixed by Frédéric Pierret and josch since June 2021, by providing a partial mirror for amd64 only and only going back until January 2017.</li>
<liclass="fragment">We have no <strong>Debian</strong> infrastructure rebuilding Debian packages. The reproducible-builds.org rebuilders are builders, not rebuilders.</li>
<liclass="fragment">https://beta.tests.reproducible-builds.org/debian <em>is showing</em> rebuilds of ftp.debian.org - huge thanks to Frédéric Pierret for this PoC.</li>
<liclass="fragment">Sadly, Frédéric's rebuilder is down atm...</li>
<liclass="fragment">And one rebuilder is not good enough also. It's a start though.</li>
<liclass="fragment">snapshot.debian.org was (and is) unusable for rebuilds, fixed by Frédéric Pierret and josch since June 2021, by providing a partial mirror for amd64 only and only going back until January 2017.</li>
<liclass="fragment">though snapshot.notset.fr is currently down.</li>
<liclass="fragment">and snapshot.reproducible-builds.org ist not yet up</li>
<liclass="fragment">though snapshot.notset.fr is currently down and snapshot.reproducible-builds.org ist not yet up... :/</li>
<h3>"Solved" problems with <code>.buildinfo</code> files</h3>
<ulstyle="font-size: 98%">
<li>buildinfos.debian.net is just a proof of concept, but it kinda works around #862073, #763822, #862538, #929397</li>
<li>buildinfos.debian.net is just a proof of concept, but it works around #862073, #763822, #862538, #929397 well enough.</li>
<liclass="fragment">we had >3000 packages without .buildinfo files, I NMUed all of them (with the help of David Bremner!) 😇 Just NEW ones will keep coming...</li>
<liclass="fragment">GPG keys expire.</li>
</ul>
...
...
@@ -631,9 +630,10 @@ Arch Linux is 86.4% reproducible with 1701 bad and 10849 good packages.