FRESH

Hacker News

Home

Debian must ship reproducible packages

184 points by robalni

by uecker

1 subcomments

This is a huge achievement for Debian and the free software world.
It took a while though until this was understood. In 2007 when pointing out on debian-devel that this is needed, I was still told what huge waste of time this would be. And indeed it took a huge amount of work by many people to get there, but it is well worth it.

by perlgeek

1 subcomments

https://wiki.debian.org/ReproducibleBuilds has some more infos; some is outdated, but it also has a chart showing how many packages are built in the CI, and how many of those are reproducible builds.
(Orange = FTBR = "failed to build reproducibly")
I'm not good at reading numbers from charts, but I'd guess it's a few percent (4-5ish?).

by suprjami

1 subcomments

I am always surprised Debian are leading this and not the commercial vendors. You'd think big organisations paying for RHEL and Ubuntu would be beating down the door for verifiable binaries.

by Zopieux

0 subcomment

A great milestone, congrats Debian on taking a stance and holding high standards for yourself, especially in the current era.

by jaypatelani

2 subcomments

Good thing. NetBSD has fully reproductible build since 2017. https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_...

by micw

1 subcomments

I wonder why this is a thing nowadays. I use yocto for embedded devices and it was almost a no-brainer to implement reproducible builds. I can also easily enable Debian package management, so everything is already available.

by pixel_popping

1 subcomments

Forbidden
You don't have permission to access this resource. Apache Server at lists.debian.org Port 443
:/

by Hendrikto

0 subcomment

Why the fuck does that site break the back button? DO NOT do that.

by einpoklum

0 subcomment

Debian must ship packages without the hard dependence on systemd.

by inglor_cz

2 subcomments

Has anyone fought Microsoft Visual Studio successfully to produce reproducible builds of C++ programs? From what I have heard, it is one of the worst contexts to do it.

by shevy-java

1 subcomments

A small step for debian,
giant leap for mankind.

0 subcomment

by idovmamane

0 subcomment

[dead]

by charcircuit

1 subcomments

So much time has been wasted on reproducible builds which could have better spent on securing more important parts of Debian. Practically minor changes like a build timestamp being different is not an issue.

by kkfx

2 subcomments

Debian, like any other legacy distro, mush became declarative, because the '80s model of manual deploy and the absurd pain of D/I and Preseed must end.

by blueflow

9 subcomments

zero improvement on end-user experience. does not solve supply chain issues, debian package will reproducabily contain the malware from upstream.