Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

It is supposedly possible to increase reproducibility from 54% to 90% in Debian Buster!

Save for later
  • 2 min read
  • 06 Mar 2019

article-image

Yesterday, Holger Levsen, a member of the team maintaining reproducible.debian.net, started a discussion on reproducible builds, stating that “Debian Buster will only be 54% reproducible (while we could be at >90%)”.

He started off by stating that tests indicate Debian Buster’s 26476 source packages (92.8%) out of 28523 source packages in total can be built reproducibly in buster/amd64. The 28523 source packages build 57448 binary packages.

Next, by looking at binary packages that Debian actually distributes, he says that Vagrant came up with an idea to check buildinfo.debian.net for .deb files for which there exists 2 or more .buildinfo.

Turning this into a Jenkins job, he checked the above idea for all 57448 binary
packages (including downloading all those .deb files from ftp.d.o)  in amd64/buster/main. He obtained the following results:

reproducible packages in buster/amd64: 30885: (53.7600%)
unreproducible packages in buster/amd64: 26543: (46.2000%)
and
reproducible binNMUs in buster/amd64: 0: (0%)
unreproducible binNMU in buster/amd64: 7423: (12.9200%)

He suggests that binNMUs are unreproducible because of their design and his proposed solution to obtain reproducible nature is that 'binNMUs should be replaced by easy "no-change-except-debian/changelog-uploads'. This means a 12% increase in reproducibility from 54%. Next, he also discovered that 6804 source packages need a rebuild from December 2016. This is because these packages were built with an old dpkg not producing .buildinfo
files. 6804 of 28523 accounts for 23.9%. Summing everything up- 54%+12%+24% equals 90% reproducibility.

Refer to the entire discussion thread for more details on this news.


Google Project Zero discovers a cache invalidation bug in Linux memory management, Ubuntu and Debian remain vulnerable

User discovers bug in debian stable kernel upgrade; armmp package affected

Debian 9.7 released with fix for RCE flaw

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime