Will Ubuntu work with reproducible builds?
(This is a copy of my answer on ubuntu-devel.)
With very few exceptions, nearly all of Debian's work on this will just be going into the packages that form part of the package build toolchain, and as such Ubuntu will inherit it over the natural course of merging and syncing packages from Debian. The possible exceptions are things like the proposed libfaketime etc. preloads that we might insert into builds; I'd certainly be keen to keep up to date with things Debian does in this area, not just to protect against intrusion but also because there are immediate practical benefits to doing so (safer multiarch handling).
I'm not aware that this has been specifically discussed within Canonical, mostly because most of the relevant people are pretty heads-down working on the Ubuntu Touch product at the moment; but I also think there's work to be done in Debian first before we pick anything up.
This question is somewhat badly defined. Every distro ever will work with a reproducible build. Any build that includes no information about the environment it was built from is reproducible. It's the external state of the build environment that causes problems.
Want a "reproducible build"?
#include <stdio.h>
int main ( int argc, char * argv[] ) {
printf ("%s\n", "hello world");
return 0;
}
Want a non-reproducable build?
#include <stdio.h>
int main ( int argc, char * argv[] ) {
printf ("%s\n", __DATE__); // this will change every day.
return 0;
}
It's not about will Ubuntu "work with". It has always worked with. It's about what will be done to "ensure that", and "reject violations".
With that said, currently the plan is to address the problems in GCC and the individual packages. I'm not aware of any plans to reject things that are not reproducible. In addition there is a new .buildinfo
which helps shed light on why things may not be reproducible.
See also,
- Are Ubuntu builds deterministic? Why not