Are Ubuntu builds deterministic? Why not?
No they're not. Let's clarify a distinction here,
-
Does the system support "reproducible builds"?
Yes all systems support packages that are deterministic.
-
Does the system enforce "reproducible builds"?
Nope, though it does help diagnose problems, and works is being done to make packages reproducible -- bugs are being reported and handled anyway.
-
Is everything, without exception, reproducible?
Not even close.
Now let's define "reproducible builds"
A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.
The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.
Now let's talk about what is required
Check out this page under "How" which lays down three criteria
the build system needs to be made entirely deterministic: transforming a given source must always create the same result. Typically, the current date and time must not be recorded and output always has to be written in the same order.
the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined.
users should be given a way to recreate a close enough build 3., perform the build process, and verify that the output matches the original build.
You can find more documentation about all of that here.
As to why Ubuntu isn't currently reproducible, things like Perl currently fail because -V
stores the compiler args for convenience -- they're waiting on GCC to patch this upstream. A lot of this functionality could simply nuked. Some other problems: some man pages and programs have the build dates compiled in, others compile in mutable paths to shared libraries and the like.
Not being reproducible isn't a problem or a vulnerability. It just makes it harder to verify that you haven't been tampered with, and currently that functionality is being viewed as more valuable.
You can follow Debian's progress towards determinism here